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MEMORANDUM  FOR  UNDER  SECRETARY  OF  DEFENSE  (COMPTROLLER)/ 

CHIEF  FINANCIAL  OFFICER,  DOD 
DIRECTOR,  DEFENSE  FINANCE  AND  ACCOUNTING 
SERVICE 

AUDITOR  GENERAL,  DEPARTMENT  OF  THE  ARMY 

SUBJECT:  Controls  Over  Army  Deployable  Disbursing  System  Payments  Need 
Improvement  (Report  No.  D-20 1 1  - 1 0 1 ) 

We  are  providing  this  report  for  review  and  comment.  Army  disbursing  offices  processed 
over  272,131  commercial  and  miscellaneous  payments,  totaling  $13.1  billion,  through  the 
Deployable  Disbursing  System.  Army  controls  were  inadequate  and  resulted  in  access 
control  issues,  payment  certification  deficiencies,  and  improper  payments.  In  addition,  the 
databases  provided  by  Defense  Finance  and  Accounting  Sendee  were  missing 
13,795  payments  for  $801.3  million  We  also  identified  potential  monetary  benefits  for 
duplicate  payments,  totaling  $162,258,  that,  if  collected,  the  Government  could  put  to 
better  use.  We  considered  management  comments  on  a  draft  of  this  report  when  preparing 
the  final  report. 

DoD  Directive  7650.3  requires  that  recommendations  be  resolved  promptly.  The 
comments  from  the  Deputy  Chief  Financial  Officer  and  the  Assistant  Secretary  of  the 
Army  (Financial  Operations)  were  responsive  and  require  no  further  comment.  Although 
most  comments  from  the  Deputy  Director,  Operations,  Defense  Finance  and  Accounting 
Service,  were  responsive  and  require  no  further  comment,  we  request  additional 
comments  on  Recommendation  B.2.b  by  September  16,  201 1 . 

If  possible,  send  a  .pdf  file  containing  your  comments  to  audfmr@dodig.mil.  Copies  of 
your  comments  must  have  the  actual  signature  of  the  authorizing  official  for  your 
organization.  We  are  unable  to  accept  the  /Signed/  symbol  in  place  of  the  actual 
signature.  If  you  arrange  to  send  classified  comments  electronically,  you  must  send  them 
over  the  SECRET  Internet  Protocol  Router  Network  (SIPRNET). 

We  appreciate  the  courtesies  extended  to  the  staff.  Please  direct  questions  to  me  at 
(703)  601-5868  (DSN  664-5868). 


/^CCfcvAX>^  6* 


Patricia  A.  Marsh,  CPA 
Assistant  Inspector  General 
Financial  Management  and  Reporting 
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Results  in  Brief:  Controls  Over  Army 
Deployable  Disbursing  System  Payments 
Need  Improvement 


What  We  Did 

The  objective  of  the  audit  was  to  determine  whether 
the  controls  over  transactions  processed  through  the 
Deployable  Disbursing  System  (DDS)  were 
adequate  to  ensure  the  reliability  of  the  data 
processed,  including  financial  information 
processed  by  disbursing  stations  supporting 
Operation  Iraqi  Freedom.  Army  processed  at  least 
272,131  commercial  and  miscellaneous  payments, 
totaling  $13.1  billion,  through  DDS  from  FY  2006 
through  FY  2008.  Disbursing  office  controls  over 
these  payments  were  inadequate. 

What  We  Found 

Army  disbursing  personnel  at  1 6  disbursing  stations 
did  not  adequately  control  access  to  commercial  and 
miscellaneous  payment  data  processed  through 
DDS.  Specifically,  disbursing  personnel  used 
accounts  that  bypassed  controls  to  process 
$595.6  million  in  payments  and  assigned  the  system 
administrator  privilege  to  90  of  the  253  individual 
main  site  user  accounts  in  DDS.  Furthermore,  the 
disbursing  offices  at  the  seven  disbursing  stations 
visited  did  not  properly  restrict  access  to  DDS 
interface  files,  maintain  adequate  separation  of 
payment  duties,  and  maintain  adequate  security  and 
contingency  plans.  This  occurred  because  the  Army 
Financial  Management  Centers  did  not  effectively 
review  DDS  user  access  or  oversee  the  payment 
process,  and  the  DDS  Program  Management  Office 
did  not  provide  sufficient  visibility  in  DDS  for 
management  to  review  and  identify  access  control 
weaknesses.  As  a  result,  the  Army  is  at  risk  for 
losing  disbursing  data,  improperly  modifying 
payment  transactions,  improper  payments,  and 
unauthorized  viewing  of  personally  identifiable  or 
classified  information  for  272,131  commercial  and 
miscellaneous  payments,  totaling  $13.1  billion.  We 
identified  potential  monetary  benefits  for  duplicate 
payments,  totaling  $162,258,  that,  if  collected,  the 
Government  could  put  to  better  use. 

The  Army’s  financial  system  did  not  maintain 
accurate  or  complete  information.  Specifically, 


out  of  the  402  commercial  payments  that  we 
nonstatistically  sampled  from  21 1,808  payments 
($9.6  billion)  in  DDS,  the  financial  system  did  not 
maintain: 

•  accurate  line  of  accounting  (LOA)  information 
for  296  payments; 

•  accurate  payment  method  information  for 
140  payments;  and 

•  complete  fundamental  payment  information, 
such  as  invoice  line  item  information  for 
370  payments,  contract  or  requisition  number 
for  54  payments,  invoice  received  date  for 
48  payments,  and  invoice  number  for 

30  payments. 

This  occurred  because  Army  finance  offices  did  not 
properly  use  DDS  interfaces.  Further,  the  Assistant 
Secretary  of  the  Army  (Financial  Management  and 
Comptroller)  and  Director,  DFAS  (Information  and 
Technology)  did  not  develop  systems  within  Army’s 
financial  system,  including  DDS,  with  sufficient 
functionality  to  make  foreign  currency  electronic 
funds  transfer  (EFT)  payments  using  DDS  and 
comply  with  the  Core  Financial  System 
Requirements  in  requiring  fundamental  payment 
information.  Without  accurate  and  complete  data, 
DoD  cannot  maintain  complete  and  documented 
audit  trails,  which  are  necessary  to  demonstrate  the 
accuracy,  completeness,  and  timeliness  of 
transactions.  Furthermore,  DoD  funds  are  at 
increased  risk  for  improper  payments. 

The  Army  disbursing  offices  and  DFAS  did  not 
maintain  a  complete  repository  that  included 
210  DDS  database  changes.  This  occurred  because 
the  U.S.  Army  Financial  Management  Command  and 
DFAS  officials  did  not  have  procedures  on  how  to 
request,  approve,  document,  execute,  and  retain  DDS 
database  changes.  In  addition,  the  Under  Secretary 
of  Defense  (Comptroller )/Chief  Financial  Officer, 
DoD,  did  not  publish  guidance  on  how  to  properly 
document  and  control  changes  to  DoD  databases.  As 
a  result,  disbursing  offices  initiated  294  database 
changes  to  adjust  $49.7  million  in  fund 
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accountability  without  supporting  documentation  or 
approval.  Further,  disbursing  offices  initiated 
53  database  changes  to  end-of-day  balances  on  the 
Statement  of  Accountability  report  without 
documented  approval  of  the  updated  report. 

Until  controls  over  these  payments  are  strengthened, 

DoD  funds  will  continue  to  be  at  risk  for  improper 
payments  and  fraud.  Additionally,  unauthorized 
personnel  may  be  able  to  view  personally  identifiable 
and  classified  information. 

What  We  Recommend 

We  recommend  that  the  Under  Secretary  of  Defense 
(Comptroller)/Chief  Financial  Officer,  DoD,  issue 
guidance  establishing  controls  and  audit  trails  for 
changes  to  DoD  databases.  We  also  recommend 
that  the  Deputy  Assistant  Secretary  of  the  Army 
(Financial  Operations)  improve  DDS  internal 
controls  and  data  reliability,  implement  database 
change  procedures  with  DFAS,  and  review  DDS 
database  changes  that  affected  accountability. 

Management  Comments  and 
Our  Response 

The  Deputy  Chief  Financial  Officer,  Deputy 
Assistant  Secretary  of  the  Army  (Financial 
Operations),  and  Deputy  Director,  Operations, 

Defense  Finance  and  Accounting  Service,  agreed 
with  the  recommendations.  In  addition,  the  U.S. 

Army  Financial  Management  Command  concurred 
with  the  potential  monetary  benefits.  The 
management  comments  provided  were  responsive  in 
all  but  one  instance.  We  request  that  the  Director, 

Defense  Finance  and  Accounting  Service,  provide 
additional  comments  in  response  to 
Recommendation  B.2.b.  Please  see  the 
recommendations  table  on  the  next  page. 
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Recommendations  Table 


Management 

Recommendations 
Requiring  Comment 

No  Additional 
Comments  Required 

Under  Secretary  of  Defense 
(Comptroller)/Chief  Financial 
Officer,  DoD 

C.l.a,  C.l.b,  C.l.c,  C.l.d, 
C.l.e 

Deputy  Assistant  Secretary  of  the 
Army  (Financial  Operations) 

A.l.a,  A.l.b,  A.l.c,  A.l.d, 

A.  1  .e,  A.  1  .f,  A.  1  .g,  A.  1  .h, 

A. 2. a,  A.2.b,  A.3,  A.4, 

A.  5,  A. 6,  A. 7,  B.l.a, 

B. l.b,  B.l.c,  C.2.a,  C.2.b, 

C. 3 

Director,  Defense  Finance  and 
Accounting  Service 

B.2.b 

B.2.a,  C.3 

Please  provide  comments  by  September  16,  2011. 


Table  of  Contents 


Introduction  1 

Audit  Objective  1 

Background  on  the  Deployable  Disbursing  System  1 

Internal  Controls  Over  Army  Payments  4 

Finding  A.  Army  Needs  to  Enhance  Controls  Over  DDS  Access  and 

Payment  Authorization  5 

Authorization  and  Access  Requirements  for  DDS  6 

Disbursing  Office  Personnel  Bypassed  DDS  Access  Controls  7 

Procedures  Need  to  be  Established  to  Ensure  Separation  of  Duties  12 

Disbursing  Offices  Need  to  Use  Interfaces  Properly  15 

Anny  Needs  to  Develop  Contingency  Plans  15 

Anny  Needs  to  Maintain  Certifying  Officer  Appointment  Letters  16 

Internal  Control  Weaknesses  Affected  Payment  Data  and  Security  18 

Conclusion  1 8 

Recommendations,  Management  Comments,  and  Our  Response  19 

Finding  B.  Army’s  Financial  System  Did  Not  Maintain  Reliable 

Payment  Data  23 

Data  Reliability  Requirements  for  DDS  24 

Anny’s  Financial  System  Needs  to  Maintain  Accurate  and  Complete 
Payment  Infonnation  24 

Anny  Did  Not  Have  a  Centralized  Database  of  DDS  Data  30 

Conclusion  3 1 

Management  Comments  on  the  Finding  and  Our  Response  3 1 

Recommendations,  Management  Comments,  and  Our  Response  32 

Finding  C.  Army  and  DFAS  Had  Inadequate  Controls  Over  DDS 

Database  Changes  35 

Database  Change  Audit  Trail  Requirements  35 

DDS  Database  Change  Process  36 

Controls  Need  to  Be  Established  Over  Anny  DDS  Database  Changes  36 

Guidance  on  Database  Changes  Needs  to  Be  Complete  40 

DoD  Needs  Policies  for  Documenting  and  Controlling  Database  Changes  40 
Conclusion  4 1 

Management  Comments  on  the  Finding  and  Our  Response  41 

Recommendations,  Management  Comments,  and  Our  Response  41 


Appendices 

A.  Audit  Scope  and  Methodology  44 

Use  of  Computer-Processed  Data  46 

Use  of  Technical  Assistance  46 

B.  Prior  Coverage  of  the  Deployable  Disbursing  System  47 

C.  Army  Vendor  Payment  Cycle  49 

Glossary  of  T echnical  T erms  52 

Management  Comments 

Under  Secretary  of  Defense  (Comptroller)/Chief  Financial  Officer,  DoD  54 

Department  of  the  Anny  56 

Defense  Finance  and  Accounting  Service  63 


Introduction 

Audit  Objective 

Our  audit  objective  was  to  determine  whether  DoD  internal  controls  over  transactions 
processed  through  the  Deployable  Disbursing  System  (DDS)  were  adequate  to  ensure  the 
reliability  of  the  data  processed.  Specifically,  we  reviewed  Army  commercial  and 
miscellaneous  payments  processed  through  DDS  from  FY  2006  through  FY  2008.  We 
also  examined  financial  information  on  commercial  and  miscellaneous  payments 
processed  by  disbursing  stations  supporting  Operation  Iraqi  Freedom.  See  Appendix  A 
for  scope  and  methodology  and  Appendix  B  for  prior  coverage  related  to  the  objective. 
See  the  Glossary  of  Technical  Terms  for  definitions  of  tenninology  used  in  this  report. 

Background  on  the  Deployable  Disbursing  System 

DoD  Inspector  General  Audit  Report  No.  D-2008-098,  “Internal  Controls  Over  Payments 
Made  in  Iraq,  Kuwait,  and  Egypt,”  May  22,  2008,  addressed  a  material  internal  control 
weakness  over  contingency  payment  audit  trails.  In  response  to  a  draft  of  that  report,  the 
Under  Secretary  of  Defense  (Comptrollerj/Chief  Financial  Officer,  DoD,  stated  that  DDS 
would  improve  the  controls.  As  follow-on  to  the  audit,  we  reviewed  the  controls  over 
commercial  and  miscellaneous  payments  processed  through  DDS.  This  audit  is  the 
fourth  in  a  series  of  audits  that  addresses  DDS  internal  controls.  The  first  audit  reported 
that  the  U.S.  Marine  Corps  recorded  classified  infonnation  in  unclassified  DoD  systems.1 
The  second  audit  reported  that  the  U.S.  Marine  Corps’  internal  controls  over  payments 
processed  through  DDS  were  inadequate.2  The  third  audit  reported  on  the  Anny’s 
ineffective  internal  controls  over  the  handling  of  classified  infonnation  posted  in  DDS.3 

Deployable  Disbursing  System 

The  Defense  Finance  and  Accounting  Service  (DFAS)  DDS  Program  Management 
Office  (PMO)  developed  DDS  to  fulfill  a  need  for  a  tactical  disbursing  system  and  to 
maintain  accountability  of  U.S.  Treasury  funds  entrusted  to  disbursing  agents.  DDS 
automates  a  variety  of  disbursing  office  functions  including  travel,  military,  commercial, 
and  miscellaneous  payments;  accounts  payable;  collection  processes;  and  financial 
reporting  requirements. 


1  DoD  Inspector  General  Audit  Report  No.  D-2009-054,  “Identification  of  Classified  Information  in 
Unclassified  DoD  Systems  During  the  Audit  of  Internal  Controls  and  Data  Reliability  in  the  Deployable 
Disbursing  System,”  February  17,  2009. 

2  DoD  Inspector  General  Audit  Report  No.  D-20 10-037,  “Internal  Controls  Over  United  States  Marine 
Corps  Commercial  and  Miscellaneous  Payments  Processed  Through  the  Deployable  Disbursing  System,” 
January  25,  2010. 

3  DoD  Inspector  General  Audit  Report  No.  D-2010-038,  “Identification  of  Classified  Information  in  an 
Unclassified  DoD  System  and  an  Unsecured  DoD  Facility,”  January  25,  2010  (FOUO). 
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From  FY  2006  through  FY  2008,  the  Army  used  DDS  at  disbursing  offices  located  in 
Europe,  Korea,  and  Southwest  Asia  (SWA).  These  disbursing  offices  processed 
285,926  commercial  (contract  and  vendor)  and  miscellaneous  payments  totaling 
$13.9  billion  through  DDS.  Miscellaneous  payments  included  condolence,4  travel,  and 
military  payments.  Of  the  285,926  DDS  payments  totaling  $13.9  billion,  disbursing 
personnel  in  SWA  processed  at  least  1 15,809  payments,  totaling  $6.8  billion,  through 
DDS.  Table  1  provides  a  breakout  of  commercial  and  miscellaneous  payments  processed 
through  DDS  from  FY  2006  through  FY  2008. 


Table  1.  Army  Commercial  and  Miscellaneous  Payments 
Processed  Through  DDS  from  FY  2006  through  FY  2008 


Source/Type  of  Files 

Number  of  Payments 

Value 

(in  millions) 

DDS  Databases 

272,131 

$13,111.6 

Commercial  Payments 

211,808 

9,607.7 

Miscellaneous  Payments 

60,323 

3,503.9 

Missing  DDS  Data 

13,795 

801.3 

Total 

285,926 

$13,912.9 

We  performed  internal  control  and  data  reliability  reviews  on  the  272,13 1  payments  in 
the  DDS  databases;  however,  we  did  not  determine  the  validity  of  an  additional 
13,795  payments,  totaling  $801.3  million,  because  the  Anny  and  DDS  PMO  did  not 
provide  a  complete  universe  of  payments  to  review.5  See  Appendix  A  for  details. 

We  completed  internal  control  reviews  for  disbursing  offices  at  16  Army  disbursing 
station’s  symbol  numbers  (DSSNs).  We  visited  7  of  the  16  DSSNs:  four  in  Europe,  one 
in  Korea,  and  two  in  SWA.  In  addition,  we  used  a  nonstatistical  random  sample  to  select 
425  out  of  21 1,808  commercial  payments  to  review  from  10  of  the  16  DSSNs:  three 
from  Europe,  one  from  Korea,  and  six  from  SWA. 

Army  Roles  and  Responsibilities  for  Disbursements 

The  U.S.  Army  Financial  Management  Command  (USAFMCOM),  Indianapolis,  Indiana, 
is  an  operational  activity  for  the  Assistant  Secretary  of  the  Army  (Financial  Management 
and  Comptroller).  USAFMCOM  is  the  Army  approval  authority  for  finance  technical 
issues  and  provides  technical  guidance  to  the  Army  Financial  Management  Centers 
(FMCs)  in  Europe,  Korea,  and  SWA.  The  FMCs  are  responsible  for  management  and 


4  DoD  Regulation  7000. 14-R,  “DoD  Financial  Management  Regulation,”  defines  a  condolence  payment  as 
payments  to  individual  civilians  for  death,  injury,  or  property  damage  caused  by  U.S.  coalition  forces, 
generally  during  combat. 

5  We  identified  DDS  data  for  13,523  of  the  13,795  missing  payments;  however,  the  data  were  not  available 
in  time  for  our  review. 
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oversight  of  internal  controls  for  theater  finance  operations.  They  are  also  the  focal  point 
for  all  finance-related  systems  and  policy  for  theater  operations. 

Army  Procurement  and  Payment  Process 

The  audit  trail  for  the  Army  procurement  and  payment  process  begins  with  the  identified 
need  for  goods  or  services  and  the  commitment  of  funds  using  the  Resource  Management 
Tool;  the  process  ends  with  a  payment  from  DDS  and  the  transfer  of  data  to  the 
accounting  system,  Standard  Finance  System  (STANFINS).  When  a  vendor  provides  an 
invoice,  the  vendor  pay  office  enters  it  into  the  entitlement  system,  Computerized 
Accounts  Payable  System  (CAPS),  and  generates  a  voucher  from  CAPS.  When  the 
certifying  official  certifies  the  voucher  and  supporting  documentation,  the  disbursing 
office  can  make  the  payment  using  DDS.  The  disbursing  cycle  ends  when  STANFINS 
records  and  reports  the  disbursement  data.  See  Appendix  C  for  a  flowchart  of  this 
process. 

Federal  Financial  System  Requirements 

DDS  is  an  integral  component  of  the  Army’s  financial  system  (based  on  the  dollar  value 
of  processed  transactions).  Office  of  Management  and  Budget  Circular  No.  A- 127, 
“Financial  Management  Systems”  (OMB  Circular  A- 127),  July  23,  1993, 6  states  that  a 
“financial  system”  is  an  infonnation  system  consisting  of  applications  that  collect, 
process,  maintain,  transmit,  and  report  data  about  financial  events. 

The  Federal  Financial  Management  Improvement  Act  of  1996  requires  that  agencies 
comply  with  Federal  accounting  standards  and  Federal  financial  management  system 
requirements  (Federal  system  requirements).  The  Office  of  Federal  Financial 
Management,  Office  of  Management  and  Budget,  issues  the  Federal  system 
requirements.  The  Office  of  Federal  Financial  Management  Report 
No.  OFFM-NO-0106,  “Core  Financial  System  Requirements,”  January  2006  (Core 
Financial  System  Requirements),  presents  the  functional  and  technical  requirements  that 
agency  financial  management  systems  must  meet  to  comply  with  the  Federal  Financial 
Management  Improvement  Act  of  1996.  These  requirements  stipulate  that  systems  have 
controls  over  function  access  (for  example,  transaction  access  and  authority  for  approval) 
and  data  access.  Inadequate  access  controls  diminish  the  reliability  of  computerized  data 
and  increase  the  risk  of  destruction  or  inappropriate  disclosure  of  data. 

According  to  the  Core  Financial  System  Requirements,  all  financial  management  systems 
must  have  security,  internal  controls,  and  accountability  built  into  the  processes  and  must 
provide  an  audit  trail.  In  addition,  the  financial  system  must  provide  automated 
functionalities  to  support  the  processes  for  document  and  transaction  control,  invoicing, 
disbursing,  and  audit  trails. 


6  OMB  Circular  A-127,  July  23,  1993,  was  the  policy  in  place  during  our  audit.  A  new  version  of  OMB 
Circular  A-127,  dated  January  2009,  has  since  superseded  this  version. 
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Internal  Controls  Over  Army  Payments 

DoD  Instruction  5010.40,  “Managers’  Internal  Control  Program  (MICP)  Procedures,” 
July  29,  2010,  requires  DoD  organizations  to  implement  a  comprehensive  system  of 
internal  controls  that  provides  reasonable  assurance  that  programs  are  operating  as 
intended  and  to  evaluate  the  effectiveness  of  the  controls.  We  identified  internal  control 
weaknesses  for  the  Anny.  Army  disbursing  offices  did  not  have  adequate  internal 
controls  over  the  authorization  of  payments,  separation  of  duties,  DDS  access,  and 
database  changes.  We  also  identified  potential  monetary  benefits  for  duplicate  payments, 
totaling  $162,258,  that,  if  collected,  the  Government  could  put  to  better  use.  We  will 
provide  a  copy  of  this  report  to  the  senior  official  responsible  for  internal  controls  in  the 
Anny. 
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Finding  A.  Army  Needs  to  Enhance  Controls 
Over  DDS  Access  and  Payment  Authorization 

Army  disbursing  personnel  at  16  DSSNs  did  not  adequately  control  access  to  commercial 
and  miscellaneous  payment  data  processed  through  DDS.  Specifically,  disbursing 
personnel  used  22  multiple  user  accounts  and  56  generic  user  accounts  to  process 
$595.6  million  in  payments;  using  these  accounts  bypassed  controls  and  did  not  allow  for 
identification  of  individuals  processing  payments.  In  addition,  Anny  disbursing  offices 
assigned  the  system  administrator  privilege  to  90  of  the  253  individual  main  site  user 
accounts.  Furthermore,  the  disbursing  offices  at  the  seven  DSSNs  visited  had  the 
following  control  deficiencies. 

•  Two  DSSNs  did  not  maintain  adequate  separation  of  payment  duties. 

•  Seven  DSSNs  did  not  properly  restrict  access  to  DDS  interface  files. 

•  Six  DSSNs  did  not  maintain  adequate  contingency  plans. 

In  addition,  for  334  of  the  425  payments  reviewed,7  disbursing  offices  could  not  provide 
the  certifying  officer  appointment  letters;  the  appointment  letter  was  not  signed;  or  the 
appointment  letter  was  not  signed  by  authorized  personnel.  These  deficiencies  occurred 
because: 

•  Army  FMCs  did  not  have  effective  control  procedures  in  place  for  reviewing 
DDS  user  access  or  overseeing  the  DDS  payment  process,  and 

•  the  DDS  PMO  did  not  provide  sufficient  visibility  in  DDS  for  management  to 
readily  review  and  identify  access  control  weaknesses. 

In  addition,  Anny  disbursing  personnel  did  not  provide  proper  certifying  officer 
appointment  letters  because  the  FMCs  did  not  have  adequate  procedures  for  appointing 
certifying  officials  and  maintaining  appointment  letters. 

As  a  result,  the  Anny  is  at  risk  for  losing  disbursing  data,  improperly  modifying  payment 
transactions,  and  unauthorized  viewing  of  personally  identifiable  or  classified 
information  for  272,131  commercial  and  miscellaneous  payments,  totaling  $13.1  billion. 
In  addition,  Army  officials  could  not  show  whom  they  should  hold  pecuniarily  liable  if 
the  disbursing  personnel  made  improper  payments. 


7  We  used  a  nonstatistical  random  sample  to  select  425  commercial  payments  from  21 1,808  commercial 
payments  totaling  $9.6  billion  (Appendix  A). 
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Authorization  and  Access  Requirements  for  DDS 

Legal  Requirements  for  Making  Payments 

According  to  section  3325,  title  31,  United  States  Code  (31  U.S.C.  §  3325  [2007]), 
Defense  agencies,  such  as  the  Army,  are  required  to  “disburse  money  only  as  provided  by 
a  voucher  certified  by. .  .an  officer  or  employee  of  the  executive  agency  having  written 
authorization  from  the  head  of  the  agency  to  certify  vouchers.” 

Public  Law  107-300,  “Improper  Payments  Information  Act  of  2002,”  section  2,  states 
that  an  agency  must  annually  review  all  programs  and  activities  that  it  administers  and 
identify  all  such  programs  and  activities  that  may  be  susceptible  to  significant  improper 
payments.  This  act  defines  an  improper  payment  as  one  that  should  not  have  been  made 
or  that  was  made  in  an  incorrect  amount  under  statutory,  contractual,  administrative,  or 
other  legally  applicable  requirements.  This  includes  any  payment  to  an  ineligible 
recipient,  ineligible  service,  duplicate  payments,  payments  for  services  not  received,  and 
any  payment  that  does  not  account  for  credit  for  applicable  discounts. 

DoD  Guidance  for  Proper  Payment  Certifications 

DoD  Regulation  7000. 14-R,  “DoD  Financial  Management  Regulation”  (DoD  FMR) 
implements  31  U.S.C.  §  3325  (2007)  and  Federal  financial  system  requirements.  The 
DoD  FMR  provides  guidance  on  authorizing  and  certifying  payment  vouchers  and  on  the 
separation  of  duties  between  certifying  and  disbursing  officials.  In  addition,  DoD 
Instruction  8500.2,  “Information  Assurance  (IA)  Implementation,”  February  6,  2003, 
states  that  authorized  users  access  only  the  data  that  applies  to  their  authorized  privileges. 

DoD  FMR,  volume  5,  chapter  33,  defines  a  proper  appointment  as  the  completion  of  a 
DD  Fonn  577,  “Appointment/Termination  Record/ Authorized  Signature”  (appointment 
letter).  The  DD  Form  577  must  identify  the  payment  type,  such  as  vendor  pay,  purchase 
card,  centrally  billed  accounts,  travel,  transportation,  or  civilian  pay,  for  which  the  head 
of  the  DoD  Component  appointed  the  certifying  officer. 

DoD  FMR,  volume  5,  chapter  21,  requires  that  the  original  disbursing  office  records, 
including  appointments  and  revocations  of  accountable  individuals,  be  retained  and 
readily  accessible  to  the  disbursing  office  or  the  designated  settlement  office  for  a  6-year 
3-month  period.  In  addition,  the  National  Archives  and  Records  Administration  General 
Records  Schedule  6,  “Accountable  Officers’  Accounts  Records,”  requires  the  retention  of 
accountable  officer’s  files  for  6  years  and  3  months.  This  guidance  also  identifies  the 
certifying  officer  as  an  accountable  officer. 

System  Requirements  for  Access  Controls 

The  Core  Financial  System  Requirements  address  access  controls.  In  addition,  the 
National  Institute  of  Standards  and  Technology,  Federal  Infonnation  Processing 
Standards  Publication  200,  “Minimum  Security  Requirements  for  Federal  Infonnation 
and  Information  Systems,”  March  9,  2006  (NIST  FIPS  PUB  200),  states  that 
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organizations  must  limit  system  access  to  authorized  users  and  must  limit  authorized  user 
access  to  permitted  types  of  transactions  and  functions.  Furthennore,  the  Government 
Accountability  Office,  “Federal  Infonnation  System  Controls  Audit  Manual,”  January 
1999, 8  concludes  that  access  controls  should  be  in  place  to  provide  reasonable  assurance 
that  there  is  protection  of  computer  resources  against  unauthorized  modification, 
disclosure,  loss,  or  impairment. 

Limiting  access  helps  to  ensure  that: 

•  users  have  only  the  access  needed  to  perfonn  their  duties, 

•  user  access  is  limited  to  only  a  few  individuals,  and 

•  users  are  restricted  from  perfonning  incompatible  functions. 

Disbursing  Office  Personnel  Bypassed  DDS 
Access  Controls 

Anny  disbursing  offices  at  16  DSSNs  did  not  have  adequate  controls  over  the  access  to 
commercial  and  miscellaneous  payment  data  processed  through  DDS.  The  disbursing 
offices  exposed  DDS  payment  information  to  unauthorized  modification,  loss,  or 
disclosure.  Specifically,  the  Army  disbursing  offices: 

•  assigned  multiple  user  accounts  to 
individual  DDS  users  at  14  DSSNs, 

•  created  generic  user  accounts  in  DDS 
that  were  not  assigned  to  specific 
individuals  at  16  DSSNs, 

•  assigned  access  to  system  administrator  privileges  to  an  excessive  number  of  user 
accounts  at  16  DSSNs,  and 

•  did  not  have  procedures  implementing  DoD  requirements  for  restricting  access  to 
users  with  a  need-to-know  at  five  DSSNs. 

Specifically,  disbursing  personnel  used  22  multiple  user  accounts  and  56  generic  user 
accounts  to  process  $595.6  million  in  payments;  using  these  accounts  bypassed  controls 
and  did  not  allow  for  identification  of  individuals  processing  payments.  In  addition,  Army 
disbursing  offices  assigned  the  system  administrator  privilege  to  90  of  the  253  individual 
main  site  user  accounts. 


The  disbursing  offices  exposed 
DDS  payment  information  to 
unauthorized  modification,  loss, 
or  disclosure. 


8  The  “Federal  information  System  Controls  Audit  Manual”  was  revised  in  February  2009;  however,  the 
January  1999  version  applied  to  the  scope  of  our  audit  ofFY  2006  through  2008  U.S.  Army  DDS  data. 
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Disbursing  Offices  Assigned  Multiple  User  Accounts 

Army  disbursing  offices  circumvented  DDS  controls  by  assigning  multiple  user  accounts 
to  859  individuals  who  used  DDS  (Table  2)  at  14  DSSNs.  An  individual  with  multiple 
user  accounts  can  access  several  privileges  in  DDS  that  are  not  available  to  a  single  user 
account.  A  privilege  allows  a  user  to  perform  assigned  disbursing  functions  in  DDS. 
These  privileges  include  system  administrator,  accounting,  payment  certification,  check 
printing,  and  voucher  input.  In  addition,  this  individual  has  the  ability  to  bypass 
separation  of  duties  to  process  payments. 

Of  the  859  individuals  with  multiple  user  accounts,  22  processed  1,645  payments  for 
approximately  $1 15.8  million  by  using  the  multiple  accounts.  For  example,  one 
individual  from  DSSN  5499  (Europe  theater)  processed  1,207  payments  for  $87.5  million 
with  multiple  user  accounts. 


Table  2.  Army  Multiple  User  Accounts  from  FY  2006  through  FY  2008 


Theater 

Number  of  Multiple  User 
Accounts 

Number  of 
Payments 
Processed 

Value 

(in  millions) 

Created 

Used 

Europe 

172 

11 

1,401 

$88.0 

Korea 

29 

0 

0 

0.0 

SWA 

658 

11 

244 

27.7 

Total 

859 

22 

1,645 

$115.8* 

*The  difference  is  due  to  rounding. 

By  creating  multiple  user  accounts  in  DDS,  the  Army  disbursing  offices  circumvented 
DDS  controls  that  reduce  the  risk  of  using  one  user  account  to  process  a  payment  from 
beginning  to  end.  The  DDS  controls  limit  the  types  of  privileges  assigned  to  a  single  user 
account  and  do  not  allow  for  incompatible  privileges.  Flowever,  the  user  account  list, 
which  provides  the  user’s  name,  identification,  and  outstanding  fund  balance,  did  not 
reflect  the  system  privileges  assigned  to  the  user.  Because  DDS  did  not  provide  this 
visibility  of  user  privileges,  Anny  management  could  not  readily  identify  incompatible 
privileges  in  reviewing  DDS  for  multiple  user  accounts.  In  response  to  our  identification 
of  this  issue,  the  DDS  PMO  modified  DDS  to  display  privileges  assigned  to  each 
individual  on  the  user  list.  As  a  result,  we  are  not  making  a  recommendation  on  this 
issue. 

Army  FMCs  did  not  have  adequate  control  procedures  in  place  for  reviewing  DDS  user 
access  or  overseeing  the  DDS  payment  process.  According  to  the  European  FMC’s 
internal  control  procedures,  FMC’s  internal  control  personnel  review  the  individual 
DSSNs  to  ensure  that  disbursing  personnel  review  system  access  controls.  Two  DSSNs 
in  the  Europe  FMC  provided  evidence  of  reviews  over  DDS  access.  The  Korea  and 
SWA  FMCs’  disbursing  offices  did  not  include  a  review  of  DDS  system  access  controls. 


8 


Therefore,  USAFMCOM  should  instruct  the  FMCs  to  standardize  reviews  of  DDS  user 
account  lists  and  monitor  user  access.  This  oversight  review  should: 

•  include  a  review  for  multiple  user  accounts  and  privileges, 

•  eliminate  the  use  of  multiple  user  accounts,  except  for  rare  mission  critical 
situations  with  written  justification,  and 

•  reduce  the  risk  of  misuse  of  these  accounts  and  privileges. 

Generic  User  Accounts  Allowed  Access  Without  Identification 

Army  disbursing  offices  at  16  DSSNs  established  1,062  generic  user  accounts  that 
allowed  individuals  access  to  DDS  without  identification  of  who  processed  payments  in 
DDS  (Table  3).  Of  the  1,062  generic  user  accounts,  Army  disbursing  personnel  used 
56  generic  user  accounts  to  process  10,077  payments  in  DDS  for  $479.8  million.  Generic 
user  accounts  in  DDS  are  not  specific  to  an  individual.  For  example,  we  identified  user 
accounts  assigned  to  the  following  user  names:  C ASHER  C ASHER  and  CASHIER 
CASHIER.  Army  disbursing  personnel  used  the  generic  user  account,  CASHER 
CASHER,  from  DSSN  5579  (SWA  theater)  to  process  7,280  payments  for  $353.6  million 
in  DDS. 


Table  3.  Army  Generic  User  Accounts  from  FY  2006  through  2008 


Theater 

Number  of  Generic  User 
Accounts 

Number  of 
Payments 
Processed 

Value 

(in  millions) 

Created 

Used 

Europe 

111 

17 

759 

$44.9 

Korea 

13 

1 

5 

0.0* 

SWA 

938 

38 

9,313 

434.9 

Total 

1,062 

56 

10,077 

$479.8 

*The  total  of  these  five  payments  was  $2,068. 

The  electronic  signature  block  in  the  DDS  user  setup  screen  does  not  require  the  system 
administrator  to  input  the  position  title  of  the  disbursing  personnel  that  corresponds  to  the 
position  on  the  appointment  letter,  such  as  deputy  disbursing  officer,  cashier,  or 
accountant  while  assigning  user  accounts.  Requiring  the  system  administrator  to  select  a 
position  title  that  corresponds  to  an  appointment  letter  when  creating  a  DDS  user  account 
would  mitigate  the  risk  of  creating  a  generic  user  account.  In  the  DoD  Inspector  General 
Audit  Report  No.  D-20 10-037,  “Internal  Controls  Over  United  States  Marine  Corps 
Commercial  and  Miscellaneous  Payments  Processed  Through  the  Deployable  Disbursing 
System,”  January  25,  2010,  we  recommended  that  DFAS  update  the  DDS  signature  block 
to  require  the  system  administrator  to  enter  the  disbursing  office  position  title  that 
correlates  to  the  individual  appointment  letters.  In  response  to  our  recommendation, 
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DDS  PMO  modified  DDS  to  produce  an  electronic  appointment  letter  that  should  ensure 
proper  correlation  in  DDS  between  disbursing  officer  position  and  appointment  letter.  As 
a  result,  we  are  not  making  any  additional  recommendations  on  this  issue. 

Army  FMCs  did  not  have  adequate  control  procedures  in  place  for  reviewing  DDS  user 
access  or  overseeing  the  DDS  payment  process.  USAFMCOM  should  instruct  the  FMCs 
to  establish  standardized  procedures  addressing  the  review  of  DDS  user  account  lists  and 
monitor  user  access.  The  oversight  review  should: 

•  identify  generic  user  accounts  and  privileges,  if  any, 

•  eliminate  the  use  of  generic  user  accounts,  and 

•  reduce  the  risk  of  misusing  user  accounts  and  privileges. 

Army  disbursing  offices  should  periodically  review  the  DDS  user  account  list  for 
multiple  and  generic  user  accounts.  To  verify  that  the  Army  disbursing  offices  properly 
paid  the  1,645  and  10,077  payments  processed  by  multiple  and  generic  user  accounts, 
USAFMCOM  and  Army  FMCs  should  review  the  payments.  In  addition,  USAFMCOM 
and  Anny  FMCs  should  review  disbursing  personnel  using  the  multiple  and  generic  user 
accounts  and,  as  appropriate,  initiate  administrative  action  against  the  appropriate 
personnel  associated  with  these  accounts. 

System  Administrator  Access  Assigned  to  Numerous  Users 

Anny  disbursing  officials  assigned  the  system  administrator  privilege  to  a  large  number 
of  user  accounts  even  though  this  privilege  allows  users  to  manipulate  DDS  user  access 
and  payment  data  and  to  view  personally  identifiable  information.  Specifically,  Anny 
disbursing  offices  at  16  DSSNs  assigned  the  system  administrator  privilege  to 
90  (36  percent)  of  the  253  individual  main  site  user  accounts  in  DDS.  This  privilege 
allowed  the  user  to  access  the  user  setup  screen,  which  included  Privacy  Act  personally 
identifiable  information  of  DDS  users,  such  as  social  security  number  and  name.  The 
system  administrator  privilege  also  allowed  the  user  to: 

•  manipulate  DDS  payment  data, 

•  grant  or  deny  user  access  by  creating  user  accounts, 

•  update  user  accounts, 

•  assign  access  privileges, 

•  reset  passwords, 

•  activate  or  deactivate  accounts, 
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•  back  out  payments  already  certified  or  paid,  and 

•  archive  and  purge  data. 

Table  4  illustrates,  by  theater,  the  number  of  disbursing  station  users  assigned  the  system 
administrator  privilege. 


Table  4.  Army  System  Administrator  Privilege  from  FY  2006  through  FY  2008 


Theater 

Number  of 
Disbursing 
Station  User 
Accounts 

Number  of  User 
Accounts  With 

System 

Administrator 

Privilege 

Percent  of 
User  Accounts 
With  System 
Administrator 
Privilege 

Europe 

118 

42 

36 

Korea 

28 

9 

32 

SWA 

107 

39 

36 

Total  and  Percent 

253 

90 

36 

Army  disbursing  personnel  stated  that  they  needed  to  assign  the  system  administrator 
privilege  to  DDS  users  so  they  could  back  out  payments  in  DDS.  Army  disbursing 
offices  should  assign  the  system  administrator  privilege  to  only  a  minimum  number  of 
user  accounts.  Army  FMCs  did  not  have  control  procedures  for  Army  disbursing 
personnel  to  review  DDS  user  access  and  to  document  and  monitor  the  assignment  of  the 
system  administrator  privilege  to  DDS  users.  As  part  of  the  Army  oversight  function, 
USAFMCOM  should  instruct  the  FMCs  to  develop  standardized  procedures,  such  as 
reviewing  DDS  user  access  privileges,  to  restrict  this  level  of  access  to  a  minimum 
number  of  users  as  necessary. 

Army  Needs  to  Follow  DoD  Requirements  for  Restricting  Access 

Army  disbursing  offices  did  not  document  DDS  users’  security  clearances,  need-to-know, 
and  information  assurance  responsibilities  when  granting  access  to  DDS.  Army 
disbursing  offices  did  not  follow  DoD  Instruction  8500.2,  “Information  Assurance  (IA) 
Implementation,”  February  6,  2003,  for  restricting  access  to  users  with  a  need-to-know. 
Only  users  with  a  need-to-know  should  access  the  system  because  DDS  maintained 
personally  identifiable  information  such  as  name,  social  security  number,  or  personal 
infonnation  that  linked  to  an  individual's  identity.  DoD  Instruction  8500.2  requires  that 
each  information  assurance  officer  ensure  that  all  users  have  the  requisite  security 
clearances  and  supervisory  need-to-know  authorization  and  are  aware  of  their 
infonnation  assurance  responsibilities  before  granting  access  to  DoD  information 
systems,.  Army  disbursing  offices  should  limit  access  to  users  with  a  need-to-know  to 
provide  reasonable  assurance  that  they  are  protecting  computer  resources  against 
unauthorized  modification,  disclosure,  loss,  or  impairment. 
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Of  the  seven  DSSNs  we  visited,  five  did  not  have  standard  procedures  requiring  the 
Army  to  comply  with  DoD  Instruction  8500.2.  The  remaining  two  DSSNs  documented 
in  their  standard  procedures  a  fonnal  process  for  granting  DDS  access,  such  as 
completing  the  DD  Form  2875  “System  Authorization  Access  Request” 

(DD  Form  2875).  These  DSSNs  used  DD  Fonn  2875  to  record  names,  signatures,  and 
social  security  numbers  for  validating  the  trustworthiness  of  individuals  requesting  access 
to  DoD  systems  and  infonnation.  The  form  specified  the  authorized  level  of  system 
access  for  an  individual.  In  addition,  these  two  DSSNs  also  implemented  local  guidance 
to  review  DDS  on  a  regular  basis  to  ensure  user  access  and  privileges  are  consistent  with 
the  DD  Forms  2875.  This  will  assist  in  ensuring  the  privileges  assigned  to  the  user  are 
consistent  with  their  roles  and  responsibilities  in  DDS. 

Although  DoD  provides  DD  Form  2875  to  ensure  all  DDS  users  meet  the  DoD 
infonnation  assurance  requirements  before  granting  access  to  a  DoD  system,  Anny 
disbursing  offices  did  not  require  the  form  for  users  to  access  DDS.  To  ensure  that  only 
individuals  with  a  need-to-know  access  DDS  at  all  Army  disbursing  offices, 
USAFMCOM  should  require  the  FMCs  to  either  use  the  DD  Fonn  2875  or  another 
method  that  ensures  users’  security  clearances,  need-to-know,  and  awareness  of 
infonnation  assurance  responsibilities  are  consistent  with  their  DDS  privileges. 

DDS  PMO  Took  Action  to  Address  Previous  Recommendations 

DoD  Inspector  General  Report  No.  D-20 10-037, 

“Internal  Controls  Over  United  States  Marine 
Corps  Commercial  and  Miscellaneous  Payments 
Processed  Through  the  Deployable  Disbursing 
System,”  January  25,  2010,  recommended  that 
DFAS  management  address  modifications  to  DDS 
that  would  assist  the  U.S.  Marine  Corps  in 
reviewing  for  and  monitoring  the  use  of  multiple,  generic,  and  system  administrator 
accounts.  DFAS  management  agreed  to  our  recommendations,  and  DDS  PMO  personnel 
addressed  the  changes  to  DDS  through  system  change  requests.  As  of  September  20, 
2010,  DDS  PMO  personnel  modified  DDS  to  produce  an  electronic  DD  Form  577, 
“Appointment/Termination  Record,”  and  display  the  privileges  assigned  to  each 
individual  on  the  user  report. 

Procedures  Need  to  be  Established  to  Ensure 
Separation  of  Duties 

The  disbursing  offices  at  two  of  the  seven  DSSNs  visited  did  not  establish  procedures  to 
ensure  adequate  separation  of  duties: 

•  Finance  office  personnel  at  DSSN  8763  (Europe  theater)  in  Kosovo  had  the 
capability  to  enter  transactions  into  CAPS  and  make  payments  through  DDS,  and 
a  disbursing  officer  certified  and  disbursed  funds;  and 


DFAS  management  agreed  to 
our  recommendations,  and 
DDS  PMO  personnel  addressed 
the  changes  to  DDS  through 
system  change  requests. 
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•  a  disbursing  officer  at  DSSN  5579  (SWA  theater)  inappropriately  appointed 
certifying  officials. 

In  addition,  the  lack  of  separation  of  duties  between  Army  contracting  and  paying 
activities  led  to  the  opportunity  for  stealing  Government  funds. 

Finance  Office  Personnel  Entered  Entitlements  and  Made  the 
Payments 

An  Anny  finance  office  did  not  comply  with  the  DoD  FMR  in  separating  the  duties  of 
recording  transactions  and  making  payments.  Army  officials  at  DSSN  8763  allowed  the 
same  individuals  in  the  finance  office  to  maintain  the  ability  to  record  transactions  into 
CAPS  and  make  payments  from  DDS.  DoD  FMR,  volume  5,  chapter  1,  states  that 
separate  individuals  are  required  to  perform  each  step  in  the  disbursing  process,  such  as: 

•  authorizing,  approving,  and  recording  transactions; 

•  issuing  or  receiving  assets;  and 

•  making  payments. 

Because  finance  office  personnel  had  the  ability  to  access  payments  in  CAPS,  Army 
procedures  should  prohibit  them  from  processing  disbursements  out  of  DDS. 

Disbursing  Officer  Certified  a  Payment 

The  disbursing  officer  at  DSSN  8763  certified  one  commercial  payment  processed  from 
CAPS  through  DDS.  DoD  FMR,  volume  5,  chapter  33,  states  that  a  disbursing  officer  is 
not  eligible  for  appointment  as  a  certifying  officer  and  may  not  appoint  a  certifying 
officer.  Therefore,  disbursing  officers  should  not  sign  vouchers  as  certifying  officers. 

Disbursing  Officer  Appointed  Certifying  Officers 

The  disbursing  officer  at  DSSN  5579  appointed  four  certifying  officers  who  certified 
10  commercial  payments.  DoD  FMR,  volume  5,  chapter  33,  states  that  a  disbursing 
officer  may  not  appoint  a  certifying  officer.  However,  current  Anny  guidance  allows  the 
appointment  of  commanding  officers  as  disbursing  officers.  Individuals  that  are  dual- 
appointed  as  disbursing  officers  and  commanding  officers  have  the  ability  to  appoint 
certifying  officers.  This  ability  for  dual-appointed  officers  to  appoint  certifying  officers 
conflicts  with  the  DoD  FMR  policy  restricting  disbursing  officers  from  appointing 
certifying  officers. 
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Contracting  Representative  Stole  Government  Funds 

We  assisted  Defense  Criminal  Investigative  Service  on  a  case  that  involved  a  theft  of 
$690,000  in  Commander’s  Emergency  Response  Program  funds.  The  lack  of  separation 
of  duties  between  Anny  contracting  and  paying 
activities,  such  as  an  Army  contracting 
representative  who  also  performed  payment 
functions,  led  to  the  opportunity  for  stealing 
Government  funds.  These  activities  included 
creating  questionable  contracts  and  making  the 
payments  associated  with  those  contracts.  If  the  Anny  had  sufficient  controls  in  place  to 
prevent  the  contracting  representative  from  performing  both  contracting  and  payment 
activities,  it  may  have  prevented  the  theft  of  Government  funds.  On  December  7,  2009, 
this  Anny  contracting  representative  pled  guilty  to  money  laundering  and  stealing 
Government  funds. 

In  addition,  the  Army  paying  agents  who  gave  the  Commander’s  Emergency  Response 
Program  funds  to  the  Army  contracting  representative  neglected  their  duties.  The  paying 
agents  were  legally  responsible  for  those  funds  as  the  paying  agent  appointment  letter 
specifically  states,  “funds  will  not  be  entrusted  to  others.”  The  contracting  representative 
paid  out  $4.5  million  in  funds  provided  by  the  paying  agents.  USAFMCOM  should  work 
with  U.S.  Central  Command  to  order  an  Anny  Regulation  15-6,  “Procedures  for 
Investigating  Officers  and  Board  of  Officers,”  investigation  of  the  two  Army  paying 
agents’  activities  and,  based  on  the  investigation  results,  initiate  appropriate  criminal, 
civil,  or  administrative  actions.  We  are  conducting  an  audit  to  review  controls  over 
Commander’s  Emergency  Response  Program  payments  made  in  Afghanistan. 

USAFMCOM  Should  Implement  Policy  to  Improve  Separation  of 
Duties 

The  Deputy  Assistant  Secretary  of  the  Anny  (Financial  Operations)  established  policy  on 
June  26,  2009,  that  states  that  Commands,  with  subordinate  activities  perfonning 
disbursing  operations,  should  regularly  review  disbursing  and  entitlement  systems’  access 
profiles  to  ensure  appropriate  separation  of  duties.  USAFMCOM  provided  evidence  that 
Army  disbursing  offices  performed  reviews  of  disbursing  system  access  profiles. 
However,  these  reviews  did  not  indicate  whether  there  was  proper  separation  of  duties 
between  users  of  the  entitlement  and  disbursing  systems.  Therefore,  USAFMCOM 
should  require  that  Anny  finance  offices  perform  periodic  reviews  of  access  profiles  to 
ensure  proper  separation  of  duties  between  users  of  the  entitlement  and  disbursing 
systems.  In  addition,  USAFMCOM  needs  to  issue  guidance  clarifying  that  those 
individuals  who  are  dually  appointed  as  disbursing  officers  and  commanding  officers 
cannot  appoint  certifying  officers.  USAFMCOM  should  require  all  FMCs  to  certify 
payments  in  accordance  with  DoD  FMR. 


The  lack  of  separation  of  duties 
between  Army  contracting  and 
paying  activities  ..Jed  to  the 
opportunity  for  stealing 
Government  funds. 
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Disbursing  Offices  Need  to  Use  Interfaces  Properly 

Army  disbursing  offices  did  not  implement  an  interface  strategy  or  interface-processing 
procedure  ensuring  proper  restriction  to  access  interface  data  and  processes. 

The  seven  DSSNs  visited  either  did  not  use  the  interfaces  with  DDS  or  manually 
manipulated  the  DDS  interface  files. 

•  DSSN  8763  (Europe  theater)  did  not  use  the  CAPS  interface  to  process 
payments  with  DDS. 

•  DSSN  6335  (Europe  theater)  did  not  use  the  STANFINS  interface  to  pass 
accounting  information  from  DDS  to  STANFINS. 

•  Six  of  the  seven  DSSNs  adjusted  data  in  the  accounting  interface  file  before 
submitting  it  for  upload  into  STANFINS. 

Controls  over  the  use  of  DDS  and  its  interfacing  systems  were  not  adequate  and  allowed 
Army  disbursing  personnel  to  manually  intervene  with  the  processing  of  the  interfaces. 
Therefore,  the  data  between  the  systems  may  not  match,  and  there  may  not  be  a 
transparent  audit  trail  between  the  interfacing  systems.  USAFMCOM  should  require  all 
FMCs  to  limit  access  to  interface  data  and  processes  to  personnel  responsible  for 
processing  interface  files.  See  Finding  B  for  further  detail  on  Army  disbursing  offices’ 
use  of  DDS  interfaces  with  CAPS  and  STANFINS. 

Army  Needs  to  Develop  Contingency  Plans 

Six  of  the  seven  DSSNs  visited  did  not  maintain  adequate  continuity  of  operations  plans 
(COOP)  for  DDS.  A  COOP  establishes  procedures  necessary  to  ensure  uninterrupted, 
essential  functions  across  a  wide  range  of  potential  emergencies,  including  localized  acts 
of  nature,  accidents,  and  technological  or  attack-related  emergencies. 

Anny  FMCs  did  not  ensure  the  Army  maintained  an  adequate  COOP  for  six  of  the 
seven  DSSNs.  The  NIST  FIPS  PUB  200  states  that,  “organizations  must  establish, 
maintain,  and  effectively  implement  plans  for  emergency  response,  backup  operations, 
and  post-disaster  recovery  for  organizational  information  systems  to  ensure  the 
availability  of  critical  information  resources  and  continuity  of  operations  in  emergency 
situations.”  In  addition,  Army  Regulation  500-3,  “U.S.  Army  Continuity  of  Operations 
Program  Policy  and  Planning,”  April  2008,  states  that  Commanders  or  senior  Anny 
officials  will  ensure  their  subordinate  organizations  or  activities  develop  and  maintain 
their  own  supporting  COOP  procedures.  The  Government  Accountability  Office, 
“Federal  Information  System  Controls  Audit  Manual,”  also  provides  that  organizations 
develop  and  document  an  application  contingency  plan  as  part  of  control  activities. 

DSSN  6411  (Korea  theater)  was  the  only  disbursing  office  that  had  an  adequate  COOP  in 
place.  The  COOP  included  DDS  as  a  “Priority  1”  system  that  needs  to  be  operational 
within  24  hours  of  COOP  activation.  Disbursing  offices  for  three  of  the  four  DSSNs  in 
the  Europe  theater  maintained  a  COOP,  but  the  plans  were  outdated  or  did  not 
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specifically  address  DDS.  The  DSSNs  in  the  SWA  theater  did  not  maintain  a  COOP. 
Because  the  Army  FMCs  did  not  ensure  all  disbursing  offices  using  DDS  had  a  COOP, 
the  Army  did  not  comply  with  NIST  FIPS  PUB  200  requirements  and  Army  regulations. 
USAFMCOM  should  require  all  DSSNs  using  DDS  to  develop  and  implement  an 
adequate  COOP. 

Army  Needs  to  Maintain  Certifying  Officer 
Appointment  Letters 

Anny  disbursing  offices  did  not  maintain 
proper  certifying  officer  appointment  letters 
for  personnel  who  certified  payments  in  our 
sample.  We  used  a  nonstatistical  random 
sample  to  select  425  payments,  obtained 
from  10  DSSNs  in  the  Europe,  Korea,  and 
SWA  theaters,  from  21 1,808  commercial 
payments,  totaling  $9.6  billion,  paid  in  FY  2006  through  2008  (Appendix  A).  For  334  of 
the  425  sample  payments,  Anny  disbursing  offices  did  not  maintain  proper  certifying 
officer  appointment  letters  for  personnel  who  certified  vouchers.  Having  properly 
appointed  officers  certify  that  a  voucher  is  ready  for  payment  is  a  critical  internal  control 
function  that  the  Army  needs  to  ensure  a  payment  is  proper.  We  did  not  identify  issues 
with  the  appointment  letters  for  the  certifying  officers  who  were  appointed  at  the  time  of 
our  visits  to  the  Europe  and  Korea  DSSNs.  Table  5  shows  a  breakout  of  the  results  of  our 
request  for  certifying  officer  appointment  letters  by  theater  and  number  of  payments 
affected. 


Having  properly  appointed  officers 
certify  that  a  voucher  is  ready  for 
payment  is  a  critical  internal  control 
function  that  the  Army  needs  to 
ensure  a  payment  is  proper. 


Table  5.  Results  of  Review  for  Proper  Payment  Authorization 


Results 

Europe 

Korea 

SWA 

Total 

Inadequate  Support  for  Proper 
Authorization  Provided 

61 

130 

143 

334 

Payments  Certified  - 
Appointment  Letter  Not  Provided 

53 

130 

114 

297 

Payments  Certified  -  by 
Unauthorized  Personnel 

1 

0 

27 

28 

Payments  Not  Certified  - 
Appointment  Letter  Not  Signed 

7 

0 

2 

9 

Payments  Certified  -  Proper 
Authorization  Provided 

89 

0 

2 

91 

Total  Payments  Reviewed  for 
Proper  Authorization 

150 

130 

145 

425 
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Certifying  Officer  Appointment  Letters  Not  Available 

Army  disbursing  offices  did  not  provide  certifying  officer  appointment  letters  for 
individuals  who  certified  297  of  the  sample  payments,  totaling  $8.7  million,  from 
eight  DSSNs.  Personnel  at  DSSN  6411  (Korea  theater)  stated  that  they  destroyed 
certifying  officer  appointment  letters  upon  tenninating  appointments.  Personnel  at 
DSSN  8547  (SWA  theater)  forwarded  the  documents  to  a  storage  facility;  however,  the 
storage  facility  personnel  could  not  locate  the  requested  documents.  Anny  disbursing 
personnel  did  not  explain  why  the  remaining  six  DSSNs  in  the  European  and  SWA 
theater  did  not  provide  certifying  officer  appointment  letters. 

Unauthorized  Personnel  Certified  Payments 

Anny  disbursing  personnel  from  DSSNs  8763  (Europe  theater),  5579,  5588,  8549,  and 
8589  (SWA  theater)  did  not  properly  authorize  28  of  the  sample  payments,  totaling 
$500,000.  The  appointment  letters  for  the  certifying  officers  who  certified  these 
28  sample  payments  included  authorizations  for  disbursing  personnel  to  certify  military 
pay,  but  not  commercial  payments,  and  letters  that  were  not  officially  signed.  In  other 
appointment  letters,  disbursing  officers  had  improperly  appointed  certifying  officers.  For 
example,  a  disbursing  officer  appointed  four  certifying  officers  using  a  memorandum  for 
record;  however,  the  DoD  FMR  volume  5,  chapter  33,  requires  a  DD  Fonn  577, 
“Appointment/Termination  Record/ Authorized  Signature,”  to  appoint  a  certifying  officer. 

Payments  Were  Not  Certified  and  Not  Authorized 

Anny  disbursing  personnel  did  not  certify  nine  of  the  sample  payments,  totaling  $3 1,236. 
We  obtained  the  uncertified  payments  from  DSSNs  5499,  6335,  8763  (Europe  theater), 
5579,  and  8547  (SWA  theater).  According  to  DoD  FMR,  volume  5,  chapter  33,  the 
payments  are  unauthorized  unless  signed  by  an  authorized  certifying  officer. 

Disbursing  Offices  Provided  Proper  Certifying  Officer 
Appointment  Letters 

Anny  disbursing  offices  provided  proper  certifying  officer  appointment  letters  for  the 
individuals  who  certified  91  of  the  sample  payments,  totaling  $1.3  million.  We  obtained 
appointment  letters  for  those  who  certified  89  of  the  payments  for  two  European  DSSNs 
where  the  appointed  individuals  who  signed  the  vouchers  were  still  serving  as  certifying 
officers  during  the  audit.  Although  we  received  those  appointment  letters,  these  DSSNs 
did  not  retain  appointment  letters  for  previous  certifying  officers. 

Army  FMCs  Need  to  Improve  Certifying  Officer 
Appointment  Procedures 

The  Army  FMCs  did  not  support  the  proper  certification  of  334  of  the  425  sample 
commercial  payments  obtained  from  the  10  DSSNs  reviewed  for  certifying  officer 
appointment  letters.  Army  did  not  comply  with  31  U.S.C.  §  3325  (2007)  and  DoD  FMR, 
volume  5,  chapters  21  and  33,  for  document  retention  and  written  authorization  for 
certifying  vouchers.  Without  certifying  officer  appointment  letters,  auditors  and 
reviewers  cannot  determine  whether  the  certifying  officers  properly  reviewed  the 
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commercial  payments  or  who  the  Anny  should  hold  pecuniarily  liable  if  the  Anny  made 
improper  payments.  Therefore,  USAFMCOM  should  require  the  FMCs  to  certify 
vouchers  and  retain  documents  in  accordance  with  31  U.S.C.  §  3325  (2007)  and 
DoD  FMR,  volume  5,  chapters  21  and  33. 

Internal  Control  Weaknesses  Affected  Payment  Data 
and  Security 

Gaps  in  Army  FMC  and  disbursing  office  internal  controls  over  system  access,  separation 
of  duties,  data  protection,  contingency  plans,  and  payment  authorizations  place  payments 
at  increased  risk  for  lost  disbursing  data,  unauthorized  modification  of  transactions, 
improper  payments,  unauthorized  viewing  of  personally  identifiable  or  classified 
information.  Army  disbursing  personnel  made  duplicate  payments  and  processed 
classified  information  through  DDS. 

Army  Personnel  Made  Duplicate  Payments  to  Vendors 

Because  of  the  gaps  in  Army  FMC  and  disbursing  office  controls,  disbursing  personnel 
made  nine  duplicate  payments,  totaling  $162,258,  to  vendors  for  goods  or  services  and 
did  not  collect  on  these  improper  payments.  We  referred  two  of  the  duplicate  payments 
to  the  Defense  Criminal  Investigative  Service  because  of  the  suspicious  and  potentially 
fraudulent  nature  of  the  payments.  USAFMCOM  should  review  the  remaining  seven 
duplicate  payments,  collect  the  overpayments,  and  determine  whether  to  proceed  with 
administrative  action  against  the  personnel  responsible  for  the  duplicate  payments.  If  the 
Anny  collects  these  duplicate  payments,  the  Government  can  put  the  funds  to  better  use. 

Unauthorized  Access  to  Personally  Identifiable  or  Classified 
Information  in  DDS 

Gaps  in  internal  controls  over  system  access  could  cause  personnel  without  a  need-to- 
know  to  gain  unauthorized  access  to  personally  identifiable  or  classified  infonnation  in 
DDS.  We  disclosed  the  presence  of  classified  infonnation  in  DoD  Inspector  General 
Report  No.  D-2010-038,  “Identification  of  Classified  Information  in  an  Unclassified  DoD 
System  and  an  Unsecured  DoD  Facility,”  January  25,  2010  (For  Official  Use  Only). 
Specifically,  Army  disbursing  personnel  processed  655  payments  that  contained 
classified  information  in  DDS,  an  unclassified  DoD  system.  The  Anny  corrected  these 
issues  through  implementing  the  recommendations  identified  in  that  report. 

Conclusion 

Anny  disbursing  offices  circumvented  internal  controls  for  access  to  DDS  information, 
did  not  properly  separate  certifying  and  disbursing  duties  when  making  payments,  and 
did  not  comply  with  regulations  when  supporting  certifying  officer  appointments.  In 
addition,  Anny  FMCs  did  not  ensure  that  the  disbursing  offices  maintained  plans  for 
protecting  data. 

Anny  FMC  officials  need  to  strengthen  their  control  procedures  and  management 
oversight  of  disbursing  offices  to  prevent  disbursing  personnel  from  making  unauthorized 
and  improper  payments.  These  procedures  should  address  the  disbursement  process  to 
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ensure  disbursing  personnel  are  making  payments  in  accordance  with  legal  and 
DoD  FMR  requirements.  At  a  minimum,  these  procedures  should  address: 


•  eliminating  the  use  of  multiple  user  accounts  and  requiring  written  justification 
when  multiple  user  accounts  are  needed, 

•  eliminating  the  use  of  generic  user  accounts, 

•  minimizing  number  of  users  with  the  system  administrator  privilege, 

•  requiring  proper  voucher  certification,  and 

•  separating  voucher  certification  and  payment  functions. 

Because  of  these  control  deficiencies,  the  Assistant  Secretary  of  the  Army  (Financial 
Management  and  Comptroller)  should  establish  a  standardized  control  process  for  the 
FMCs  to  use  in  examining  the  listed  control  procedures.  DoD  depends  on  responsible 
officials  to  make  payments  and  to  oversee  the  disbursement  of  Government  funds. 
Strong  internal  controls  over  the  disbursing  operations  are  critical  to  reducing  the  risk  of 
improper  payments  or  fraudulent  activity. 

Recommendations,  Management  Comments,  and 
Our  Response 

A.  We  recommend  that  the  Deputy  Assistant  Secretary  of  the  Army  (Financial 
Operations): 

1.  Instruct  the  Financial  Management  Centers  to  establish  procedures 
requiring  Army  disbursing  offices  to: 

a.  Eliminate  the  use  of  multiple  user  accounts  in  the  Deployable 
Disbursing  System  and  require  justification  for  rare  circumstances  when  multiple 
users  are  necessary. 

b.  Eliminate  the  use  of  generic  user  accounts  in  the  Deployable 
Disbursing  System. 

c.  Minimize  the  number  of  users  with  the  system  administrator 

privilege. 


d.  Use  the  System  Authorization  Access  Request  form  or  another 
method  for  verifying  security  clearances,  need-to-know,  and  awareness  of 
information  assurance  responsibilities  in  granting  access  to  users  of  the  Deployable 
Disbursing  System. 
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e.  Review  the  Deployable  Disbursing  System  user  account  lists 
periodically  for  the  use  of  multiple  and  generic  user  accounts  and  monitor  user 
access. 


f.  Maintain  certifying  officer  appointment  letters  in  accordance  with 
DoD  Regulation  7000.14-R,  “DoD  Financial  Management  Regulation,” 

volume  5,  chapter  21. 

g.  Ensure  access  to  interface  data  and  processes  is  limited  to 
personnel  responsible  for  processing  interface  files. 

h.  Maintain  adequate  continuity  of  operations  plans  in  accordance 
with  the  National  Institute  of  Standards  and  Technology,  Federal  Information 
Processing  Standards  Publication  200  and  Army  Regulation  500-3. 

2.  Instruct  Financial  Management  Centers  to  establish  procedures  requiring 

the: 


a.  Appointment  of  certifying  officers  in  accordance  with 
requirements  of  section  3325,  title  31,  United  States  Code,  and  DoD  Regulation 
7000.14-R,  “DoD  Financial  Management  Regulation,”  volume  5,  chapter  33. 

b.  Performance  of  periodic  reviews  of  access  profiles  to  ensure  proper 
separation  of  duties  between  users  of  the  entitlement  and  disbursing  systems. 

Department  of  the  Army  Comments 

The  Deputy  Assistant  Secretary  of  the  Anny  (Financial  Operations)  (DASA-FO)  agreed 
with  Recommendations  A.  1  and  A. 2  and  stated  that  he  has  addressed  each  of  these  issues 
in  his  memorandum,  “Army  Disbursing  and  Entitlement  Systems  Controls,” 

June  6,  201 1. 

3.  Establish  a  standardized  control  process  for  the  Financial  Management 
Centers  to  use  in  examining  control  procedures  implemented  in  Recommendations 
A.l  and  A.2. 

Department  of  the  Army  Comments 

The  DASA-FO  agreed  and  stated  that  the  Anny  would  establish  a  standardized  control 
process  for  the  FMCs  to  use  in  examining  control  procedures  implemented  in 
Recommendations  A.  1  and  A. 2.  On  August  2,  201 1,  USAFMCOM  provided  an  updated 
internal  control  checklist  incorporating  the  results  of  the  audit. 

4.  Review  the  payments  processed  using  multiple  and  generic  user  accounts 
to  ensure  the  payments  were  proper. 
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Department  of  the  Army  Comments 

The  DASA-FO  agreed  and  stated  that  the  Anny  would  review  the  payments  processed 
using  multiple  and  generic  user  accounts.  He  stated  that  the  Special  Inspector  General 
for  Iraq  has  perfonned  reviews  and  continues  to  do  work  in  this  area.  In  addition,  he 
requested  that  the  Anny  Audit  Agency  conduct  a  theater-wide  audit  of  commercial 
payments  emphasizing  payments  processed  in  DDS  with  generic  user  identification. 
Finally,  he  stated  that  his  office  would  analyze  results  of  the  audit  findings  of  the  Special 
Inspector  General  for  Iraq  and  the  Anny  Audit  Agency  to  detennine  the  level  of  further 
review  required  to  ensure  the  propriety  of  these  payments. 

5.  Review  disbursing  personnel  using  multiple  and  generic  user  accounts 
and,  if  improper  payments  are  associated  with  these  accounts,  take  administrative 
action  against  the  personnel  using  those  accounts. 

Department  of  the  Army  Comments 

The  DASA-FO  agreed  and  stated  that  the  Anny  would  take  appropriate  action  in 
accordance  with  Army  Regulation  15-6  and  DoD  FMR,  volume  5,  in  situations  where  the 
Anny  identifies  an  erroneous  payment  resulting  from  misusing  multiple  and  generic  user 
accounts. 


6.  Coordinate  with  U.S.  Central  Command  to  conduct  an  investigation  as 
described  in  Army  Regulation  15-6,  “Procedures  for  Investigating  Officers  and 
Board  of  Officers,”  for  the  activities  of  the  two  Army  paying  agents  and,  based  on 
the  results  of  the  investigation,  initiate  appropriate  criminal,  civil,  or  administrative 
actions. 

Department  of  the  Army  Comments 

The  DASA-FO  agreed  and  stated  that  he  has  requested  copies  of  the  investigation 
initiated  by  the  Multi-National  Corps-Iraq  into  the  theft  of  Commander’s  Emergency 
Response  Program  Funds  by  an  Anny  captain.  Upon  review  of  this  investigation  report, 
and  in  coordination  with  the  DFAS  legal  staff,  deficiencies  would  be  provided  to  the 
command  for  correction  and  further  disciplinary  action,  as  applicable. 

7.  Review  the  seven  of  the  nine  duplicate  payments,  totaling  $162,258,  collect 
the  overpayments,  and  determine  whether  the  Army  should  take  administrative 
action  against  those  responsible  for  the  duplicate  payments. 

Department  of  the  Army  Comments 

The  DASA-FO  agreed  and  stated  that  as  of  June  10,  2011,  $75,864.06  of  the  duplicate 
payments  has  been  collected.  The  other  $20,910  is  being  pursued  and  he  anticipates  its 
successful  collection.  The  balance  of  $65,483.94  paid  to  one  contractor  is  under 
investigation.  For  overpayments  that  cannot  be  collected,  he  stated  he  would  direct  an 
investigation  by  the  appropriate  command  in  accordance  with  DoD  FMR,  volume  5,  to 
detennine  liability  for  uncollectable  balances  and  appropriate  administrative  action.  In 
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addition,  USAFMCOM  agreed  with  the  potential  monetary  benefits  associated  with  these 
duplicate  payments. 

Our  Response 

The  DASA-FO  comments  on  Recommendations  A.  1  .a  through  A. 7  were  responsive  and 
the  actions  met  the  intent  of  the  recommendations. 
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Finding  B.  Army’s  Financial  System  Did  Not 
Maintain  Reliable  Payment  Data 

The  Army’s  financial  system,  including  CAPS,  DDS,  and  STANFINS,  did  not  maintain 
accurate  or  complete  information.  Specifically,  out  of  the  402  commercial  payments9 
that  we  nonstatistically  sampled  from  21 1,808  payments  (totaling  $9.6  billion)  in  DDS, 
the  financial  system  did  not  maintain: 

•  accurate  line  of  accounting  (LOA)  information  for  296  payments; 

•  accurate  payment  method  information  for  140  payments;  and 

•  complete  fundamental  payment  infonnation,  such  as  invoice  line  item  information10 
for  370  payments,  contract  or  requisition  number  for  54  payments,  invoice  received 
date  for  48  payments,  and  invoice  number  for  30  payments. 

The  financial  system  did  not  maintain  accurate  or  complete  infonnation  because  Anny 
finance  offices  did  not  properly  use  DDS  interfaces.  Further,  the  Assistant  Secretary  of 
the  Anny  (Financial  Management  and  Comptroller)  and  Director,  DFAS  (Infonnation 
and  Technology),  did  not  develop  systems  within  Anny’s  financial  system,  including 
DDS,  with  sufficient  functionality  to: 

•  provide  the  ability  to  make  foreign  cunency  electronic  funds  transfer  (EFT)  payments 
using  DDS,  and 

•  comply  with  the  Core  Financial  System  Requirements  in  requiring  fundamental 
payment  infonnation. 

Also,  the  Anny  disbursing  offices  could  not  provide  a  complete  universe  of  commercial 
payments  made  through  DDS.  This  occuned  because  the  Anny’s  financial  system  did 
not  maintain  a  centralized  database  of  DDS  payment  transactions. 

Without  accurate  and  complete  data,  DoD  cannot  maintain  complete  and  documented 
audit  trails,  which  are  necessary  to  demonstrate  the  accuracy,  completeness,  and 
timeliness  of  transactions.  Furthennore,  DoD  funds  are  at  increased  risk  for  improper 
payments. 


9  We  did  not  review  23  of  the  425  sample  commercial  payments  for  data  reliability  based  on  the  hardcopy 
documentation  because  they  represented  Government  Purchase  Card  payments  for  which  visited  Army 
disbursing  offices  did  not  maintain  the  supporting  documentation. 

10  Invoice  line  items  are  document  line  items  from  an  invoice,  an  itemized  list  of  supplies  delivered  or 
services  performed. 
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Data  Reliability  Requirements  for  DDS 

The  Core  Financial  System  Requirements  state  that  audit  trails  are  essential  to  providing 
support  and  must  exist  for  recorded  transactions.  In  addition,  the  Government 
Accountability  Office  has  provided  guidance  related  to  data  reliability.  Government 
Accountability  Office  Report  No.  GAO-03-273G,  “Assessing  the  Reliability  of 
Computer-Processed  Data,”  October  2002,  states  that  data  are  reliable  when  they  are: 

•  accurate  (they  reflect  the  data  entered  at  the  source  or,  if  available,  in  the  source 
documents),  and 

•  complete  (they  contain  all  of  the  data  elements  and  records  needed  for  the 
review). 

DoD  FMR,  volume  6A,  chapter  2,  requires  that  DoD  Components,  including  the  Anny 
and  DFAS,  maintain  complete  and  documented  audit  trails.  Audit  trails  enable  tracing  a 
transaction  from  the  manual  vouchers  and  supporting  documentation  to  the  financial 
statements.  According  to  the  DoD  FMR,  this  is  necessary  to  demonstrate  the  accuracy, 
completeness,  and  timeliness  of  a  transaction.  This  is  also  necessary  to  provide 
documentary  support,  if  required,  for  all  data  generated  by  the  Anny  and  submitted  to 
DFAS  for  recording  in  the  accounting  systems  and  for  using  in  financial  reports.  In 
addition,  the  DoD  FMR  requires  that  agencies  code  each  charge  to  an  appropriation  or 
fund  with  a  complete  accounting  classification  and  country  code,  when  applicable. 

Army’s  Financial  System  Needs  to  Maintain  Accurate 
and  Complete  Payment  Information 

The  data  in  the  Anny’s  financial  system  were  inaccurate  or  incomplete  when  compared 
to  the  supporting  documentation  or  to  data  in  interfacing  systems  for  402  commercial 
payments.  To  detennine  data  reliability,  we  reviewed  a  nonstatistical  random  sample, 
obtained  from  10  DSSNs,  of  402  Army  commercial 
payments  out  of  21 1,808  (totaling  $10.5  million  of 
$9.6  billion),  from  FY  2006  through  2008 
commercial  DDS  payments 
(see  Appendix  A).  The  Anny’s  financial  system 
maintained  inaccurate  and  incomplete  data  because 
Army  disbursing  offices  did  not  properly  use  DDS 
interface  capabilities  and  the  Assistant  Secretary  of 
the  Army  (Financial  Management  and  Comptroller) 
and  the  Director,  DFAS  (Infonnation  and 
Technology),  did  not  develop  systems  within  Anny’s 
financial  system,  including  DDS,  with  sufficient 
functionality  to: 

•  require  the  input  of  fundamental  commercial  payment  infonnation  and 

•  provide  the  ability  to  disburse  EFT  payments  in  foreign  currencies. 


...the  Assistant  Secretary  of 
the  Army  (Financial 
Management  and 
Comptroller)  and  the 
Director,  DFAS 
(Information  and 
Technology),  did  not  develop 
systems  within  Army ’s 
financial  system,  including 
DDS,  with  sufficient 
functionality... 
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Because  of  the  inaccurate  and  incomplete  data,  the  Army’s  financial  system  did  not 
provide  a  transparent  audit  trail  for  required  data  elements  in  the  payments  processed 
through  the  Army’s  financial  system  that  includes  CAPS,  DDS,  and  STANFINS. 

DDS  Interface  Capabilities  Need  to  Be  Used  Properly 

Anny  disbursing  personnel  did  not  properly  use  DDS  interfaces.  The  Anny  processed 
commercial  payments  through  its  financial  system,  which  included  the  entitlement 
system,  CAPS;  the  disbursing  system,  DDS;  and  the  accounting  system,  STANFINS. 
Although  CAPS  and  STANFINS  interface  directly  with  DDS,  three  of  the  seven  Anny 
DSSNs  visited  did  not  use  either  the  CAPS  or  STANFINS  interfaces  to  process 
payments;  six  of  the  seven  DSSNs  manipulated  the  STANFINS  interface  files  when 
processing  payments. 

The  DoD  FMR  states  that  audit  trails  are  necessary  to  demonstrate  the  accuracy  and 
completeness  of  a  transaction.  In  addition,  the  Core  Financial  System  Requirements  state 
that  core  financial  systems  must  provide  automated  functionality  to  generate  an  audit  trail 
of  all  accounting  classification11  additions,  changes,  and  deactivations,  including 
effective  dates  of  the  changes.  Furthermore,  OMB  Circular  A- 127  states  that  financial 
system  designs  must  eliminate  unnecessary  duplication  of  transaction  entry.  Wherever 
appropriate,  users  should  enter  only  once  the  data  needed  by  the  systems  to  support 
financial  functions  and  data  in  other  parts  of  the  system  should  electronically  update, 
consistent  with  the  timing  requirements  of  nonnal  business  or  transaction  cycles. 

DSSNs  Did  Not  Use  Interfaces  Appropriately  to  Process  Payments 

Although  the  capability  existed  for  DDS  to  interface  with  CAPS  and  STANFINS, 
personnel  at  three  of  the  seven  Army  DSSNs  did  not  use  the  interfaces  appropriately 
when  processing  payments.  For  example,  Army  personnel  from  DSSN  6335  (Europe 
theater)  indicated  that  they  did  not  use  the  STANFINS  interface  file  because  it  does  not 
separate  the  LOA  infonnation  for  multiple  accounting  sites.  DSSN  6335  personnel 
explained  that  because  they  disburse  funds  for  multiple  fiscal  stations,  they  use  a  manual 
process  to  ensure  that  they  assign  the  LOAs  to  the  respective  accounting  site.  The 
DDS  PMO,  however,  stated  that  DDS  has  the  capability  to  process  infonnation  when 
disbursing  funds  for  multiple  fiscal  stations  and  that  Army  personnel  at  DSSN  6335 
should  be  able  to  use  the  interface.  The  manual  process  is  inefficient  and  creates  the 
opportunity  for  human  error,  lack  of  audit  trail,  and  the  possibility  of  duplicate  payments. 
USAFMCOM  should  require  the  FMCs  to  use  the  DDS  interface  with  STANFINS  to 
minimize  the  manually  entered  data,  ensure  a  complete  audit  trail,  and  comply  with 
OMB  Circular  A- 127. 

Anny  disbursing  personnel  processed  76  payments,  totaling  $1.4  million,  of  the 
402  sample  payments,  without  using  the  CAPS-to-DDS  interface.  For  example,  Army 


11  The  accounting  classification  process  categorizes  financial  information  using  elements  such  as  Treasury 
Account  Symbol,  fiscal  year,  fund  code,  and  organization. 
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personnel  from  DSSN  8763  explained  that  they  did  not  use  the  CAPS  interface  because 
training  officials  told  them  that  the  CAPS  interface  did  not  work.  Army  personnel  from 
DSSN  5579  manually  entered  CAPS  payment  infonnation  into  DDS.  Since  our  site 
visits,  personnel  at  both  DSSNs  8763  and  5579  have  taken  action  to  use  the 
CAPS-to-DDS  interface. 

Disbursing  Offices  Need  to  Maintain  Interface  File  Integrity 

Anny  disbursing  offices  did  not  maintain  the  integrity  of  the  STANFINS  interface  files. 
Anny  disbursing  personnel  adjusted  the  DDS  payment  data  in  the  STANFINS  interface. 
However,  because  DDS  does  not  generate  an  audit  trail  of  changes  to  the  accounting 
classification,  the  interfaces  with  DDS  must  maintain  their  integrity  for  the  audit  trail  to 
remain  intact.  Therefore,  when  Army  disbursing  personnel  made  changes  to  the 
STANFINS  interface  file,  DDS  did  not  reflect  the  changes. 

Anny  disbursing  personnel  processed  296  of 
the  402  sample  payments  in  which  the  LOAs 
in  DDS  did  not  reconcile  to  the  STANFINS 
LOAs;  therefore,  there  is  not  a  transparent 
audit  trail  between  the  two  systems.  In 
addition,  personnel  at  six  of  the  seven  Anny 
DSSNs  manually  adjusted  the  LOA 
information  in  the  STANFINS  interface  file  before  submitting  it  to  STANFINS.  Of  the 
six  DSSNs  that  manually  adjusted  the  LOA  information,  four  maintained  inadequate 
procedures  for  the  changes  made  to  the  STANFINS  interface  files.  These  procedures  did 
not  identify  the  data  elements  Anny  disbursing  personnel  changed  before  completing  the 
STANFINS  interface.  The  remaining  two  DSSNs  did  not  maintain  any  procedures  for 
the  changes  made  to  the  STANFINS  interface  file.  In  addition,  these  six  DSSNs  did  not 
maintain  procedures  on  recording  the  changes  made  to  the  STANFINS  interface  file  in 
the  original  supporting  documentation.  To  maintain  a  transparent  audit  trail  in  the 
STANFINS  interface  files,  USAFMCOM  should  require  the  FMCs  to  develop 
procedures  for  making  necessary  changes  and  recording  the  changes  in  the  original 
supporting  documentation. 

DDS  Interface  with  CAPS  Did  Not  Always  Provide  an  Audit  Trail 

DFAS  personnel  were  unable  to  provide  an  audit  trail  for  125  CAPS  payments,  totaling 
$1.9  million,  of  the  425  sample  payments. 12  We  provided  the  DDS  payment  infonnation 
for  the  125  payments  to  DFAS  personnel  to  locate  the  corresponding  CAPS  data. 
However,  DFAS  personnel  were  not  able  to  provide  conesponding  CAPS  data.  Army 
and  DFAS  personnel  explained  that  it  is  possible  the  data  were  not  available  because 
Army  personnel  did  not  use  the  DDS  and  CAPS  interface  and  did  not  update  the  payment 


Army  disbursing  personnel 
processed  296  of  the  402  sample 
payments  in  which  the  LOAs  in 
DDS  did  not  reconcile  to  the 
STANFINS  LOAs... 


12  We  reviewed  all  425  sample  payments  for  audit  trail  completeness. 
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information  in  CAPS.  Therefore,  we  were  unable  to  verify  whether  the  DDS  interface 
with  CAPS  provided  a  complete  audit  trail  for  these  125  unmatched  payments. 
USAFMCOM  should  review  the  CAPS  and  DDS  data  for  completeness  to  ensure  a 
transparent  audit  trail  exists  for  these  125  payments. 

Army  Personnel  Inconsistently  Processed  Foreign 
EFT  Payments 

DDS  did  not  maintain  accurate  payment  method  infonnation  for  140  of  the  402  sample 
payments,  totaling  $2.9  million,  because  DDS  could  not  disburse  EFT  payments  in 
foreign  currencies.  Army  disbursing  offices  developed  workarounds  to  make  foreign 
currency  EFT  payments  outside  of  DDS  and  record  the  payments  as  “check”  payments  in 
DDS.  However,  the  Anny  did  not  consistently  employ  these  workarounds  and 
inaccurately  recorded  payment  method  information  in  DDS.  For  example,  Anny 
disbursing  personnel  at  DSSN  6335  (Europe  theater)  identified  a  foreign  EFT  payment  as 
a  “check”  in  DDS  and  then  processed  the  foreign  EFT  payment  outside  of  DDS  through  a 
local  banking  system.  The  DDS  PMO,  as  of  June  19,  2009,  implemented  a  system 
change  request  to  be  able  to  process  foreign  EFT  payments  in  the  international  banking 
community.  However,  the  DDS  PMO  stated  that  despite  this  system  change,  system 
limitations  necessitate  that  disbursing  offices  like  Korea  and  Belgium  will  still  need  to 
use  workarounds  in  processing  foreign  EFT  payments  through  DDS.  Because  this  will 
not  correct  the  accuracy  of  the  payment  method  in  DDS  for  disbursing  offices  using  those 
workarounds,  USAFMCOM  should  require  Anny  disbursing  offices  to  develop 
consistent  methods  for  handling  foreign  EFT  payments.  In  addition,  USAFMCOM 
should  coordinate  with  DFAS  to  develop  a  consistent  method  within  DDS  to  identify  the 
differences  in  the  payment  method  of  the  foreign  EFT  payments. 

Army’s  Financial  System  Was  Missing  Key  Payment  Information 

The  Anny’s  financial  system  did  not  require  entering  fundamental  infonnation  for 
commercial  payments  processed  through  DDS.  Specifically,  the  Army’s  financial  system 
did  not  maintain  complete  invoice  line  item,  contract  or  requisition  number,  invoice 
received  date,  or  invoice  number  information.  The  Core  Financial  System  Requirements 
state  that  adequate  internal  controls  must  be  in  place  to  verify  that  the  goods  or  services 
paid  for  were  actually  ordered,  received,  and  accepted;  that  proper  due  dates  and  payment 
amounts  were  computed;  and  that  duplicate  payments  were  prevented.  DDS  provided 
different  voucher  methods  for  processing  commercial  payments;  however,  not  all 
methods  captured  infonnation  required  by  the  Core  Financial  System  Requirements. 

DDS  provided  the  following  different  voucher  methods  for  processing  commercial 
payments,  such  as  manual  disbursements,  CAPS,  Standard  Fonn  1034s,13  and  Standard 
Form  44s.14 


13  Standard  Form  1034,  “Public  Voucher  for  Purchases  and  Services  Other  Than  Personal"  (SF  1034). 

14  Standard  Form  44,  “Purchase  Order-Invoice-Voucher”  (SF  44). 
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•  The  manual  disbursement  voucher  method  recorded  disbursement  vouchers 
prepared  offline  and  required  entering  a  minimal  amount  of  information  to 
process  a  payment  in  DDS. 

•  The  CAPS-DDS  voucher  method  processed  prc-certilied  vendor  payments  that 
DDS  received  through  an  interface  from  the  CAPS  entitlement  system. 

•  The  SF  1034  voucher  method  pennitted  a  DDS  user  to  input  complete  payment 
data  that  resulted  in  a  payment  to  an  individual  or  organization  for  goods 
furnished  or  services  rendered.  This  method  provides  an  audit  trail  of  the 
payment. 

•  The  SF  44  voucher  method  pennitted  a  DDS  user  to  input  complete  payment 
data  that  resulted  in  on  the  spot,  over-the-counter  purchases  of  supplies  and 
non-personal  services.  This  method  provides  an  audit  trail  of  the  payment. 

The  DDS  voucher  methods  for  the  402  Anny  payments  reviewed  for  data  reliability 
included  130  manual  disbursements,  257  CAPS  payments,  and  15  SF  1034s.  Anny 
payments  processed  through  DDS  using  the  manual  disbursement  and  CAPS  voucher 
methods  did  not  require  the  input  of  key  information. 

Manual  Disbursement  Voucher  Method  Did  Not  Capture 
Key  Information 

Because  Anny  disbursing  personnel  used  the  manual  disbursement  voucher  method  to 
process  commercial  payments  through  DDS,  the  Army’s  financial  system  did  not 
maintain  the  following  key  infonnation  for  the  402  sample  commercial  payments: 

•  invoice  line  items  for  129  payments,  totaling  $4.9  million; 

•  contract  or  requisition  numbers  for  54  payments,  totaling  $3.5  million; 

•  invoice  received  dates  for  48  payments,  totaling  $3.5  million;  and 

•  invoice  numbers  for  30  payments,  totaling  $2.6  million. 

The  financial  system  could  not  maintain  the  infonnation  because  the  manual 
disbursement  voucher  method  required  entering  a  limited  amount  of  information  into 
DDS  to  process  a  commercial  payment.  DDS  personnel  described  this  method  as  the 
“catch  all”  disbursement  voucher  process  that  required  the  least  amount  of  input.  The 
manual  disbursement  voucher  method  required  entering  payee  information,  amount,  and 
LOA  data  to  process  a  commercial  payment  in  DDS.  This  voucher  method  did  not  allow 
for  entering  key  data  elements  such  as  invoice  line  item,  contract  or  requisition  number, 
and  invoice  received  date  information,  and  did  not  allow  for  entering  invoice  numbers  for 
cash  or  check  payments.  However,  the  Core  Financial  System  Requirements  state  that 
the  core  financial  system  must  provide  the  automated  functionality  to  capture: 
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invoice  line  items; 


•  an  agency-assigned  source  document  number,  which  may  be  a  contract  or 
requisition  number; 

•  an  invoice  receipt  date;  and 

•  a  vendor  invoice  number. 

Anny  disbursing  personnel  processed  SF  44  payments  in  DDS  with  the  manual 
disbursement  voucher  method  excluding  key  infonnation.  Although  30  of  the  sample 
payments,  totaling  $1.3  million,  contained  175  SF  44s  in  the  supporting  documentation, 
disbursing  personnel  processed  them  using  the  manual  disbursement  voucher  method. 
DDS  provides  the  functionality  to  process  SF  44  payments  using  either  the  SF  44  or  the 
SF  1034  voucher  method.  Because  disbursing  personnel  did  not  use  the  SF  44  or  the 
SF  1034  voucher  method  to  process  these  payments,  DDS  did  not  provide  information 
such  as  the  invoice  line  items,  contract  or  requisition  number,  invoice  received  date, 
invoice  number,  payee,  or  the  amount  of  the  individual  purchases.  For  example,  instead 
of  entering  the  vendor  infonnation  in  the  payee  field,  disbursing  personnel  entered  the 
name  of  the  paying  agent.  Because  the  individual  SF  44  payment  data  are  not  in  DDS,  it 
is  not  possible  to  identify  from  DDS  data  what  the  Army  purchased  or  from  whom  they 
purchased  the  invoice  line  items.  Without  this  basic  infonnation  in  the  Army’s  financial 
system,  Army  management  does  not  have  sufficient  infonnation  to  analyze  payment  data 
to  identify  and  minimize  duplicate  payments  or  other  forms  of  improper  payments.  To 
maintain  an  adequate  audit  trail  associated  with  these  payments,  USAFMCOM  should 
require  Anny  disbursing  offices  to  use  the  SF  44  voucher  method  in  DDS. 

By  using  the  manual  disbursement  voucher  method,  the  Army  disbursing  offices  entered 
only  the  minimal  amount  of  infonnation  entered  into  DDS  and  weakened  the  audit  trail 
associated  with  the  payments.  In  addition,  the  Army’s  financial  system  did  not  comply 
with  the  Core  Financial  System  Requirements  to  capture  key  payment  information.  To 
maintain  an  adequate  audit  trail  and  comply  with  regulations,  USAFMCOM  should 
require  the  disbursing  offices  to  restrict  the  use  of  the  manual  disbursement  voucher 
method  in  DDS. 

CAPS  Voucher  Method  Did  Not  Capture  Invoice  Line  Items 

Because  Anny  disbursing  personnel  used  the  CAPS  voucher  method  to  process 
commercial  payments  through  DDS,  the  Anny’s  financial  system  did  not  maintain 
invoice  line  item  infonnation  for  241  payments,  totaling  $5  million.  These  241  payments 
are  in  addition  to  the  129  manual  disbursements  previously  discussed,  totaling 
370  payments  missing  invoice  line  item  information.  The  241  payments  did  not  contain 
the  invoice  line  item  information  because  neither  the  CAPS  entitlement  system  nor  the 
DDS  CAPS  voucher  method  allowed  for  entering  this  information.  The  CAPS  voucher 
method  captured  only  the  data  transferred  from  CAPS  through  an  interface.  Because  the 
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Army’s  financial  system  did  not  comply  with  the  Core  Financial  System  Requirements  to 
capture  invoice  line  item  information,  DFAS  should  modify  CAPS  and  the  manual 
disbursement  function  within  DDS  to  capture  invoice  line  item  infonnation  before 
processing  all  commercial  payments  in  DDS. 

DDS  PMO  Took  Action  to  Address  Previous  Recommendations 

In  DoD  Inspector  General  Report  No.  D-20 10-037,  “Internal  Controls  Over  United  States 
Marine  Corps  Commercial  and  Miscellaneous  Payments  Processed  Through  the 
Deployable  Disbursing  System,”  January  25,  2010,  we  made  recommendations  to  DFAS 
management  addressing  modifications  to  DDS  regarding  key  payment  infonnation, 
including  contract  or  requisition  numbers,  invoice  received  dates,  and  invoice  numbers 
for  commercial  payments  processed  through  DDS.  DFAS  management  agreed  to  our 
recommendations.  As  of  September  20,  2010,  the  DDS  PMO  personnel  modified  DDS  to 
require  entering  a  contract  or  requisition  number  and  invoice  number  for  commercial 
payments.  In  addition,  in  March  2011,  the  DDS  PMO  personnel  modified  DDS  to 
require  the  invoice  received  date  for  commercial  payments.  Therefore,  we  will  not  make 
any  recommendations  to  DFAS  management  related  to  the  contract  or  requisition 
number,  invoice  number,  and  invoice  received  date. 

Army  Did  Not  Have  a  Centralized  Database  of  DDS  Data 

The  Anny  disbursing  offices  could  not  provide  a  complete  universe  of  DDS  data  for 
13,795  commercial  payments  for  $801.3  million  in  time  for  our  review.  This  occurred 
because  the  Anny’s  financial  system  did  not  maintain  a  centralized  database  of  DDS 
payment  transactions.  Following  our  requests  for  Army  DDS  data  from  FY  2006  through 
FY  2008,  the  Anny  disbursing  offices  provided  separate  Anny  DDS  databases  with  a 
total  of  21 1,808  commercial  payments.  However,  these  databases  did  not  include 
13,795  commercial  payment  transactions;  therefore,  we  were  not  able  to  include  them 
in  our  assessment  of  internal  controls  or  data  reliability.  During  the  review  for  missing 
payment  transactions,  we  identified  DDS  data  for  13,523  of  the  13,795  payment 
transactions.  An  automated  audit  trail  does  not  exist  for  the  remaining  272  payment 
transactions;  however,  we  observed  the  hard  copy  vouchers  associated  with  these 
payments. 

OMB  Circular  A- 127  states  that  financial  management  systems  must  be  in  place  to 
provide  complete,  timely,  reliable,  and  consistent  infonnation  to  deter  fraud,  waste,  and 
abuse  of  Federal  Government  resources.  Although  the  Army  did  not  maintain  a 
centralized  database  and  could  not  provide  a  complete  universe  of  DDS  payments  during 
the  audit,  in  November  2009,  DDS  PMO  officials  stated  that  the  office  developed  a 
centralized  repository.  The  DDS  PMO  developed  this  repository,  the  DDS  Data 
Reporting  Initiative,  to  provide  visibility  over  summary  level  data  associated  with 
payments  processed  through  DDS  starting  in  FY  2009.  However,  this  repository  did  not 
contain  summary  level  data  for  all  DDS  payments  processed  before  FY  2009.  In 
addition,  the  repository  did  not  maintain  all  key  data  elements  associated  with  DDS 
payments,  such  as  LOA  and  infonnation  to  identify  the  users  processing  the  payments  in 
DDS.  In  April  2011,  the  DDS  PMO  modified  the  repository  to  display  the  LOA  and  user 
information.  Therefore,  we  will  not  make  any  recommendation  to  DFAS  management 
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relating  to  the  modification  of  the  repository  providing  visibility  of  LOA  and  user 
information.  However,  DFAS  should  still  incorporate  the  13,523  payments  into  the 
repository. 

Conclusion 

The  Anny’s  financial  system  did  not  maintain  accurate  and  complete  data  elements 
such  as  LOA,  payment  method,  invoice  line  item,  contract  or  requisition  number, 
invoice  received  date,  and  invoice  number.  As  a  result,  critical  gaps  of  inaccurate 
and  incomplete  data  exist  in  the  audit  trail  of  the  commercial  payments  Army 
disbursing  personnel  processed  through  DDS.  USAFMCOM  and  DFAS  should 
implement  the  recommendations  in  this  report  to  improve  the  accuracy  and  completeness 
of  Anny  commercial  payment  data  processed  through  DDS  and  to  comply  with 
OMB  Circular  A- 127  and  the  Core  Financial  System  Requirements.  Without  a  complete 
audit  trail,  Anny  management  does  not  have  sufficient  infonnation  to  oversee  the 
commercial  payment  process  and  ensure  payments  are  proper;  without  appropriate 
oversight  and  proper  payments,  the  Army  places  DoD  funds  at  an  increased  risk  for 
human  error,  lack  of  audit  trail,  and  improper  payments. 

Management  Comments  on  the  Finding  and 
Our  Response 

Department  of  the  Army  Comments 

The  DASA-FO  provided  additional  comments  on  the  finding  to  note  that  abnormal 
balances  related  to  DDS  payments  did  not  exceed  acceptable  threshold  levels  during  the 
audit. 

Our  Response 

Our  audit  did  not  include  a  review  of  abnonnal  balances  resulting  from  DDS  payments; 
therefore,  we  cannot  comment  on  the  validity  of  this  statement. 

Defense  Finance  and  Accounting  Service  Comments 

The  Deputy  Director,  Operations,  DFAS,  provided  additional  comments  on  the  finding  to 
highlight  DFAS  corrective  actions  that  we  did  not  include  in  the  draft  report.  These 
actions  included  the  DDS  PMO  implementing  system  change  requests  to  provide  Army 
management  with  sufficient  visibility  to  readily  review  and  identify  access  control 
weaknesses,  and  to  incorporate  the  LOA  and  user  infonnation  into  the  Data  Reporting 
Initiative. 

Our  Response 

The  actions  taken  by  DFAS  relate  to  recommendations  made  in  the  DoDIG  Report 
No.  D-20 10-037,  “Internal  Controls  Over  United  States  Marine  Corps  Commercial  and 
Miscellaneous  Payments  Processed  Through  the  Deployable  Disbursing  System,” 
January  25,  2010,  or  modifications  to  the  system  as  a  result  of  our  ongoing  audit  work. 

In  this  report  on  controls  over  Anny’s  DDS  payments,  we  state  that,  “As  of 
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September  20,  2010,  DDS  PMO  personnel  modified  DDS  to  require  entering  a  contract 
or  requisition  number  and  invoice  number  for  commercial  payments.  In  addition,  in 
March  2011,  the  DDS  PMO  personnel  modified  DDS  to  require  the  invoice  received  date 
for  commercial  payments.”  Because  of  the  DDS  PMO’s  actions,  we  do  not  make  any 
recommendations  to  DFAS  management  related  to  the  contract  or  requisition  number, 
invoice  number,  and  invoice  received  date.  We  also  explain  that  as  of  June  19,  2009,  the 
DDS  PMO  had  implemented  a  system  change  request  to  be  able  to  process  foreign  EFT 
payments  in  the  international  banking  community. 

In  April  2011,  the  DDS  PMO  modified  the  Data  Reporting  Initiative  to  display  the  line  of 
accounting  data  and  user  information.  We  issued  the  draft  of  this  report  on  controls  over 
Anny’s  DDS  payments  on  May  1 1,  201 1;  therefore,  we  did  not  capture  the  actions  taken 
by  the  DDS  PMO.  Because  the  DDS  PMO  took  actions  before  the  final  report  issuance, 
we  removed  recommendation  B.2.b  that  DFAS  modify  the  Data  Reporting  Initiative  to 
LOA  and  user  infonnation. 

Recommendations,  Management  Comments,  and 
Our  Response 

Deleted  and  Renumbered  Recommendations 

In  response  to  management  comments,  we  deleted  draft  Recommendation  B.2.b; 
therefore,  we  renumbered  draft  Recommendation  B.2.c  as  Recommendation  B.2.b. 

B.l.  We  recommend  that  the  Deputy  Assistant  Secretary  of  the  Army  (Financial 
Operations): 

a.  Require  the  Financial  Management  Centers  to: 

(1)  Use  the  Deployable  Disbursing  System  and  Standard  Finance 
System  interface. 

(2)  Develop  procedures  for  Army  disbursing  offices  making  changes 
to  the  Standard  Finance  System  interface  files  and  the  recording  of  these  changes  in 
the  original  supporting  documentation. 

(3)  Use  consistent  methods  for  those  Army  disbursing  offices  using 
workarounds  to  handle  foreign  electronic  funds  transfer  payments. 

(4)  Restrict  the  use  of  the  manual  disbursement  voucher  method. 

Department  of  the  Army  Comments 

The  DASA-FO  agreed  with  Recommendations  B.l.a(l)  through  B.l.a(4)  and  stated  that 
he  had  addressed  these  issues  in  his  memorandum,  “Army  Disbursing  and  Entitlement 
Systems  Controls,”  June  6,  201 1. 
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(5)  Use  the  Standard  Form  44  voucher  method  in  the  Deployable 
Disbursing  System  when  processing  Standard  Form  44  payments. 

Department  of  the  Army  Comments 

The  DASA-FO  agreed  with  Recommendation  B.l.a(5)  and  stated  that  he  had  addressed 
these  issues  in  his  memorandum,  “Army  Disbursing  and  Entitlement  Systems  Controls,” 
June  6,  201 1.  He  added,  however,  that  “due  to  resource  constraints  and  processing  of 
classified  payments  in  contingency  operations,  disbursing  offices  are  authorized  to 
process  multiple  SF  44s  on  a  single  SF  1034  voucher  in  the  system  provided  key  data  is 
included  on  the  1034  input  or,  for  classified  payments,  use  separately  established 
procedures  for  cross-referencing  to  separate  classified  files.” 

b.  Review  the  Computerized  Accounts  Payable  System  and  Deployable 
Disbursing  System  data  for  completeness  to  ensure  a  transparent  audit  trail  exists 
for  the  125  payments  in  our  sample  that  had  no  trail. 

Department  of  the  Army  Comments 

The  DASA-FO  agreed  and  stated  that  DFAS  has  perfonned  an  exhaustive  search  of 
copies  of  the  CAPS  databases.  He  also  stated  that  the  original  CAPS  data  for  these 
payments  have  probably  been  archived.  He  further  explained  that  the  Business 
Transfonnation  Agency  maintained  a  CAPS  repository  for  the  contingency  theaters,  but 
there  was  not  a  centralized  CAPS  repository  for  all  Army  CAPS  sites.  Therefore,  DFAS 
was  developing  a  deployable  version  of  CAPS  that  would  include  a  central  repository. 
He  expected  this  improvement  to  be  implemented  in  2012. 

c.  Coordinate  with  Defense  Finance  and  Accounting  Service  to  develop  a 
consistent  method  within  the  Deployable  Disbursing  System  to  identify  the 
differences  in  the  payment  method  of  the  foreign  electronic  funds  transfer 
payments. 

Department  of  the  Army  Comments 

The  DASA-FO  agreed  and  stated  that  USAFMCOM,  in  coordination  with  DFAS,  would 
publish  guidance  on  standardizing  how  electronic  payments  made  through  local 
depository  accounts  were  to  be  recorded  in  DDS.  On  August  2,  201 1,  the  Director, 
USAFMCOM  agreed  to  provide  this  guidance  no  later  than  September  30,  2011. 

Our  Response 

The  DASA-FO  comments  to  Recommendations  B.l.a(l)  through  B.l.a(5),  B.l.b,  and 
B.l.c  were  responsive  and  the  actions  met  the  intent  of  the  recommendations. 

B.2.  We  recommend  that  the  Director,  Defense  Finance  and  Accounting  Service: 

a.  Modify  the  Computerized  Accounts  Payable  System  and  the  manual 
disbursement  function  within  the  Deployable  Disbursing  System  to  capture  invoice 
line  item  information  for  all  commercial  payments, 
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Defense  Finance  and  Accounting  Service  Comments 

The  Deputy  Director,  Operations,  DFAS,  agreed  and  stated  that  CAPS-Clipper  did  not 
require  invoice  line  item  infonnation.  However,  the  invoice  line  item  information  was 
required  to  be  maintained  in  CAPS-Windows  and  DFAS  was  converting  all  remaining 
sites  that  use  CAPS-Clipper  to  CAPS-Windows  by  December  31,  2011. 

Our  Response 

The  Deputy  Director,  Operations,  DFAS,  comments  were  responsive,  and  the  actions  met 
the  intent  of  the  recommendation. 

b.  Incorporate  the  13,523  Deployable  Disbursing  System  payments  into  the 
Data  Reporting  Initiative. 

Defense  Finance  and  Accounting  Service  Comments 

The  Deputy  Director,  Operations,  DFAS,  agreed  and  stated  that  the  DDS  PMO  developed 
the  Data  Reporting  Initiative  in  January  2009,  and  it  contains  all  but  272  DDS  payment 
transactions  since  2009.  He  also  stated  that  the  DFAS  provided  hard  copy  vouchers  for 
the  outstanding  272  transactions. 

Our  Response 

The  Deputy  Director,  Operations,  DFAS,  comments  were  not  responsive.  His  comments 
did  not  specifically  address  whether  the  DDS  PMO  incorporated  the  13,523  Army  DDS 
payments,  which  occurred  before  January  2009,  into  the  Data  Reporting  Initiative.  We 
request  that  the  Deputy  Director,  Operations,  DFAS,  provide  additional  comments  on 
recommendation  B.2.b. 
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Finding  C.  Army  and  DFAS  Had  Inadequate 
Controls  Over  DDS  Database  Changes 

Army  disbursing  offices  and  DFAS  did  not  have  adequate  controls  for  the  1,017  DDS 
database  changes  that  we  reviewed.  Specifically,  Anny  disbursing  offices  and  DFAS: 

•  did  not  maintain  adequate  supporting  documentation  for  1,017  DDS  database 
changes,  and 

•  did  not  document  the  review  and  approval  of  294  DDS  database  changes. 

In  addition,  the  Army  disbursing  offices  and  DFAS  did  not  maintain  a  complete 
repository  that  included  210  DDS  database  changes.  This  occurred  because 
USAFMCOM  and  DFAS  officials  did  not  have  a  memorandum  of  agreement  that 
included  procedures  on  how  to  request,  approve,  document,  execute,  and  retain  DDS 
database  changes.  In  addition,  the  Under  Secretary  of  Defense  (Comptroller)/Chief 
Financial  Officer,  DoD,  did  not  publish  guidance  on  how  to  properly  document  and 
control  changes  to  DoD  databases.  As  a  result,  disbursing  offices  initiated  294  database 
changes  with  the  intent  to  adjust  $49.7  million  in  fund  accountability  without  supporting 
documentation  or  approval.  Further,  disbursing  offices  initiated  53  database  changes  to 
end-of-day  balances  on  the  Statement  of  Accountability  report  without  documented 
approval  of  the  updated  report. 

Database  Change  Audit  Trail  Requirements 

According  to  the  DoD  FMR,  the  Under  Secretary  of  Defense  (Comptroller)/Chief 
Financial  Officer,  DoD,  is  responsible  for  overseeing  the  establishment  of  internal 
controls  and  audit  trails  required  for  preparing  financial  reports  and  for  processing 
associated  transactions.  The  DoD  FMR  also  requires  that  DoD  Components  ensure  that 
they  maintain  audit  trails  in  sufficient  detail  to  permit  tracing  transactions  from  their 
sources  to  their  transmission  to  DFAS.  Audit  trails  enable  tracing  a  transaction  from  the 
manual  vouchers  and  corresponding  supporting  documentation  to  the  financial 
statements. 

According  to  the  Core  Financial  System  Requirements,  all  financial  management  systems 
must  have  security,  internal  controls,  and  accountability  built  into  the  processes  and  must 
provide  an  audit  trail.  These  requirements  also  state  that  adequate  audit  trails  are  critical 
to  providing  support  for  transactions  and  balances  maintained  by  the  core  financial 
system.  In  addition,  the  core  financial  system  must  capture  all  document  change  events, 
including  the  date,  time,  and  user  identification.  Adequate  audit  trails  enable  agencies  to 
reconcile  accounts,  research  document  history,  and  query  data  stored  in  the  core  financial 
system. 
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DDS  Database  Change  Process 

According  to  DDS  PMO  personnel,  disbursing  office  personnel  called  the  DDS  PMO 
help  desk  when  they  had  a  problem  with  DDS.  The  DDS  PMO  entered  call  information 
such  as  the  caller  name,  date,  location,  problem  description,  and  the  resolution  into  the 
Customer  Support  Initiative  (CSI)  database.  The  DDS  PMO  stated  that  most  issues  were 
resolved  over  the  phone;  however,  some  circumstances  required  a  database  change,  also 
known  as  a  script,  to  resolve  the  problem.  When  the  DDS  PMO  determined  the 
disbursing  office  needed  a  database  change,  the  DDS  PMO  requested  a  copy  of  the 
disbursing  office’s  DDS  database  to  verify  the  problem.  The  DFAS  Technology  Services 
Organization15  created  the  database  change  file,  the  DDS  PMO  provided  it  to  the 
disbursing  office,  and  the  disbursing  office  executed  the  database  change  file.  The 
Technology  Services  Organization  attached  the  database  change  file  to  Tracker,  which 
was  a  repository  for  database  change  files.  DFAS  did  not  have  procedures  for 
documenting  this  process  and  should  develop  procedures  documenting  the  process  for 
requesting  and  executing  database  changes. 

Controls  Need  to  Be  Established  Over  Army  DDS 
Database  Changes 

Army  disbursing  offices  and  the  DDS  PMO  did  not  have  adequate  internal  controls  over 
changes  made  to  the  DDS  database.  The  DDS  PMO  provided  a  list  of  1,036  Anny  DDS 
database  changes  made  during  FY  2006  through  FY  2008;  we  identified  an  additional 
210  DDS  database  changes  through  a  review  of  the  CSI  database.  As  a  result,  the 
DDS  PMO  issued  1,246  DDS  database  changes  during  FY  2006  through  FY  2008.  The 
DDS  PMO  was  not  able  to  provide  229  database  changes  in  time  for  our  review. 
Therefore,  we  were  able  to  review  only  1,017  of  the  1,246  DDS  database  changes. 

Table  6  shows  a  breakout  of  the  DDS  database  changes. 


Table  6.  Army  DDS  Database  Changes  from  FY  2006  through  FY  2008 


Source  of 

Database  Change 

Number  of  Database 
Changes 

Number  of  Database 
Changes  Reviewed 

Database  Changes  Originally 
Identified  by  DDS  PMO 

1,036 

1,017 

Additional  Database  Changes 
Identified  During  Audit 

210 

0 

Total 

1,246 

1,017 

15  The  DFAS  Technology  Services  Organization  oversees  the  development,  implementation,  operation,  and 
maintenance  of  DFAS  systems. 
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DDS  Database  Changes  Not  Adequately  Supported 

Army  disbursing  offices  and  the  DDS  PMO  did  not  maintain  adequate  supporting 
documentation  for  the  1,017  DDS  database  changes.  Specifically, 

•  the  DDS  PMO  did  not  provide  complete  and  accurate  descriptions  of  database 
changes,  and 

•  Anny  disbursing  offices  and  the  DDS  PMO  did  not  maintain  adequate  controls  in 
DDS  to  detennine  whether  the  Anny  disbursing  personnel  made  changes  to  the 
DDS  database. 

Database  Change  Descriptions  Incomplete  and  Inaccurate 

The  DDS  PMO  did  not  document  a  complete  and  accurate  description  of  database 
changes.  Specifically,  the  DDS  PMO: 

•  did  not  document  in  CSI 

o  key  infonnation  on  what  caused  the  problem  and  how  it  was  resolved, 
including  the  lines  and  amounts  modified  by  a  database  change,  and 

o  the  name  of  the  database  change  file  when  the  DDS  PMO  issued  a 
database  change  to  the  Army  disbursing  personnel,  and 

•  did  not  document  in  the  database  change  file  the  complete  or  accurate  description 
as  to  what  lines  the  database  change  affected. 

The  DDS  PMO  did  not  document  complete  and  accurate  information  because  the  DDS 
PMO  did  not  have  policy  and  procedures  on  the  infonnation  and  documentation  that 
should  be  included  in  either  CSI  or  the  database  change  file.  On  May  10,  2010,  the 
DDS  PMO  issued  an  internal  standard  operating  procedures  manual  providing  new 
guidance  on  documentation  and  maintenance  of  database  changes.  However,  the 
procedures  did  not  include  specific  guidance  on  how  to  document  the  effect  of  a  database 
change  on  the  data.  DFAS  needs  to  create  procedures  that  will  capture  a  complete  and 
accurate  description  of  DDS  database  changes. 

Adequate  Controls  Needed  to  Maintain  Evidence  of 
Database  Changes 

Anny  disbursing  offices  and  the  DDS  PMO  did  not  have  adequate  controls  to  maintain 
system  information  to  identify  database  changes  executed  by  disbursing  offices.  When 
an  Anny  disbursing  office  executes  a  database  change,  DDS  records  the  name  of  the 
database  change  file  and  a  brief  description  of  the  change  in  the  enor  log.  In  addition, 
this  documentation  in  the  error  log  prevents  the  disbursing  office  from  incorporating  the 
same  database  change  multiple  times.  However,  when  Anny  disbursing  offices  archive 
and  delete  their  DDS  data,  DDS  does  not  maintain  the  error  log.  Without  the  enor  log, 
Anny  management  cannot  detennine  whether  the  disbursing  office  executed  a  database 
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change,  and  consequently,  the  disbursing  office  may  inadvertently  run  a  database  change 
multiple  times,  which  would  cause  the  data  to  be  further  changed. 


In  response  to  our  identification  of  this  issue,  the 
DDS  PMO  created  controls  to  maintain  system 
infonnation  to  identify  whether  a  disbursing  office 
executed  a  database  change.  When  a  disbursing 
office  executes  a  database  change,  DDS  records 
the  database  change  name  in  the  application  history  table.  DDS  maintains  the  application 
history  table  when  the  disbursing  offices  archive  and  delete  their  DDS  data.  Because  the 
DDS  PMO  established  adequate  controls  to  retain  system  information,  we  will  not  make 
a  recommendation  on  this  issue. 

Database  Changes  Did  Not  Have  Adequate  Review  and 
Approval  Documentation 

Anny  disbursing  offices  and  the  DDS  PMO  did  not  document  the  review  and  approval  of 
DDS  database  changes.  Specifically, 

•  Anny  disbursing  offices  and  the  DDS  PMO  did  not  document  approval  for  at 
least  294  of  1,017  database  changes,  affecting  $49.7  million  in  Anny  fund 
accountability  as  reported  on  Statement  of  Accountability16  (SOA)  reports;  and 

•  Anny  disbursing  personnel  requested  at  least  53  of  the  1,017  database  changes  to 
DDS  data  used  to  create  previous  SOA  reports.  However,  the  Anny  did  not  have 
procedures  requiring  the  review  and  approval  of  the  revised  SOA  report. 

Accountability  Changes  Need  Documented  Approval 

The  DDS  PMO,  at  the  request  of  the  Army  disbursing  personnel,  provided  at  least  294  of 
1,017  DDS  database  changes  to  increase  or  decrease  $49.7  million  in  fund  accountability. 
These  changes  represented  modifications  in  the  classification  of  funds  for  which 
disbursing  officers  were  accountable  to  the  U.S.  Treasury.  Anny  disbursing  offices  and 
the  DDS  PMO  did  not  provide  documented  evidence  of  review  and  approval  of  these 
database  changes. 


In  response  to  our  identification 
of  this  issue,  the  DDS  PMO 
created  controls  to  maintain 
system  information... 


16  The  Statement  of  Accountability  reports  impacted  by  database  changes  include  the  DD  Form  2657  and 
DD  Form  2665.  Disbursing  officers  maintain  their  daily  accountability  on  the  DD  Form  2657  (Daily 
Statement  of  Accountability).  Deputies,  cashiers,  and  agents  report  their  accountability  to  the  disbursing 
officer  on  DD  Form  2665  (Daily  Agent  Accountability  Summary). 
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The  DDS  PMO  did  not  require  written  approval  for 
creating,  issuing,  and  implementing  database 
changes  that  increase  or  decrease  accountability. 

Although  the  Army  disbursing  officers  should  have 
oversight  over  any  increases  or  decreases  in  their 
accountability,  USAFMCOM  did  not  have 
requirements  for  formally  approving  DDS  database  change  requests  that  affect  the 
disbursing  officer’s  accountability.  USAFMCOM  and  the  DDS  PMO  did  not  require 
fonnal  disbursing  officer  approval  of  DDS  database  changes  affecting  accountability. 
Therefore,  there  was  no  evidence  that  the  disbursing  officer  acknowledged  accountability 
increases  or  decreases  resulting  from  the  database  change.  In  addition,  the  DoD  FMR 
does  not  contain  guidance  on  documenting  and  making  changes  to  a  database.  However, 
during  our  audit,  the  DDS  PMO  added  a  requirement  for  the  DDS  PMO  to  approve 
database  changes  affecting  accountability,  to  notify  the  disbursing  officer  of  the  changes, 
and  to  document  the  infonnation  in  CSI. 

Army  disbursing  offices  and  the  DDS  PMO  also  did  not  properly  document  database 
changes  that  affected  accountability.  Database  changes  that  affected  accountability 
contained  a  brief  description  on  the  printed  SOA  report.  However,  these  descriptions 
were  unreliable.  For  example,  a  DDS  database  change  description  showed  that  the 
change  updated  the  day’s  beginning  balance,  when  actually,  it  corrected  the  previous 
day’s  ending  balance.  USAFMCOM  and  DFAS  need  to  create  guidance  that  requires 
fonnal  disbursing  officer  approval  of  all  DDS  database  changes  affecting  accountability 
and  proper  documentation  of  the  changes.  In  addition,  USAFMCOM  should  review  the 
294  DDS  database  changes  that  affected  accountability  to  ensure  that  DoD  funds  were 
not  at  risk  for  fraud,  waste,  or  abuse. 

DDS  Database  Changes  Affect  Daily  Balances  for  Reporting  Amounts 

The  DDS  PMO  provided  at  least  53  of  1,017  database  changes  that  affected  DDS  data 
and  were  used  to  create  SOA  reports.  However,  USAFMCOM  and  the  DDS  PMO  did 
not  establish  procedures  requiring  the  review  and  approval  of  an  updated  SOA  report 
resulting  from  DDS  database  changes.  These  53  database  changes  would  revise  end  of 
day  balances  to  closed  business  days’  reports.  For  example,  a  database  change  increased 
the  ending  day  balance  for  the  previous  day’s  SOA  report  by  $478,697.94;  however,  the 
DDS  PMO  did  not  require  the  Army  disbursing  officer  to  review  and  sign  the  modified 
SOA  report  associated  with  this  change.  Changing  the  end  of  day  balances  could  cause 
the  Anny  disbursing  offices  to  have  obsolete  signed  SOA  reports  that  do  not  match  the 
DDS  data  used  to  create  the  reports.  Signed  SOAs  provide  the  signees  acknowledgment 
of  the  amount  of  funds  for  which  they  are  liable.  The  DDS  PMO  also  provided 
database  changes  that  affected  only  the  report  amounts,  but  did  not  correct  the 
transactional  data  that  supports  the  report.  For  example,  the  DDS  PMO  issued  a  database 
change  to  adjust  an  SOA  report  that  the  day’s  accountability  and  month-to-date 


USAFMCOM  and  the  DDS 
PMO  did  not  require  formal 
disbursing  officer  approval  of 
DDS  database  changes  affecting 
accountability. 


17  A  signed  SOA  represents  the  disbursing  officer’s  acknowledgment  of  the  amount  of  funds  under  his/her 
control  for  which  he/she  is  liable  per  the  appointment  letter.  See  the  Glossary  of  Technical  Terns  for 
additional  information. 
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accountability  were  out  of  balance  by  $54,329  for  over  20  days.  This  adjustment  to  the 
SOA  report  was  not  supported  by  transactional  data.  USAFMCOM  should  require  that 
the  disbursing  officer  review  and  approve  modified  SOA  reports.  In  addition, 
USAFMCOM  should  review  and  approve  modified  SOA  reports  impacted  by  the 
53  database  changes. 

DDS  Database  Change  Repository  Was  Incomplete 

The  DDS  PMO  did  not  maintain  a  complete  repository  of  database  change  files.  The 
DDS  PMO  could  not  locate  the  database  change  files  for  69  (5.5  percent)  of  the 
1,246  database  changes.  Because  the  DDS  PMO  did  not  provide  the  actual  database 
change  file,  we  could  not  determine  whether  the  changes  were  legitimate. 

As  a  result  of  this  audit,  the  DDS  PMO  incorporated  a  central  repository  to  maintain  all 
database  change  files.  The  Technology  Services  Organization  reconciles  the  repository 
to  CSI  and  the  Tracker  system  to  verify  the  repository  accounts  for  all  database  change 
files.  Because  the  DDS  PMO  established  a  central  repository  to  retain  copies  of  all  DDS 
database  change  files,  we  will  not  be  making  a  recommendation  on  this  issue. 

Guidance  on  Database  Changes  Needs  to  Be  Complete 

USAFMCOM  and  the  DDS  PMO  need  to  improve  internal  controls  over  Army  DDS 
database  changes  by  developing  a  memorandum  of  agreement  or  formal  procedures 
providing  guidance  on  how  to  request,  approve,  document,  execute,  and  retain  DDS 
database  changes.  DoD  FMR,  volume  1,  chapter  3,  requires  DFAS  to  establish  a 
memorandum  of  agreement  with  each  DoD  organization  supported  by  DFAS  systems. 
Anny  disbursing  offices  and  the  DDS  PMO  did  not  have  adequate  documentation  on  the 
procedures  for  making  database  changes.  The  formal  procedures  that  the  DDS  PMO 
provided  relating  to  the  DDS  database  change  process  was  included  in  the  Help  Desk 
Night-Shift  Operations  standard  operating  procedures.  For  the  database  change  process, 
this  standard  operating  procedure  discussed  only  the  approval  process  for  database 
changes  affecting  accountability.  However,  the  approval  process  was  inadequate  because 
it  did  not  require  the  disbursing  officer’s  approval  for  changes  affecting  accountability. 

In  addition,  the  Technology  Services  Organization  did  not  have  any  written  procedures 
on  how  to  create  the  database  change  files.  USAFMCOM  and  DFAS  need  to  create 
guidance  and  procedures  on  how  to  request,  approve,  document,  execute,  and  retain  DDS 
database  changes. 

DoD  Needs  Policies  for  Documenting  and  Controlling 
Database  Changes 

Although  the  Office  of  the  Under  Secretary  of  Defense  (Comptroller/Chief  Financial 
Officer)  established  policy  on  audit  trails,  DoD  has  not  published  guidance  on  how  to 
properly  document  and  control  changes  to  DoD  databases.  The  DoD  should  incorporate 
into  the  DoD  FMR  guidance  establishing  internal  controls  and  audit  trails  for  changes  to 
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DoD  databases.  At  a  minimum,  the  guidance  should  provide  requirements  for 
documenting  database  changes  to  include  justification,  approval,  dollar  amount  of  the 
change,  date  and  time  of  the  change,  and  the  identification  of  the  system  user  making  the 
change. 

Conclusion 

USAFMCOM  and  the  DDS  PMO  did  not  have  adequate  guidance  on  how  to  request, 
approve,  document,  execute,  and  retain  DDS  database  changes.  In  addition,  the  DoD  has 
not  issued  guidance  on  controls  for  database  changes.  As  a  result,  the  Anny  and 
DDS  PMO  did  not  have  a  proper  audit  trail  to  determine  the  reliability  of  DDS  data  nor 
support  the  validity  of  changes  to  Anny  fund  accountability.  It  is  essential  that 
USAFMCOM  and  the  DDS  PMO  create  guidance  to  document  procedures  on  how  to 
request,  approve,  document,  execute,  and  retain  DDS  database  changes.  A  transparent 
audit  trail  requires  complete  and  accurate  documentation.  USAFMCOM  should  review 
each  instance  in  which  DDS  database  changes  affected  accountability  to  ensure 
safeguarding  taxpayer  funds  against  fraud,  waste,  or  abuse. 

Management  Comments  on  the  Finding  and 
Our  Response 

Defense  Finance  and  Accounting  Service  Comments 

The  Deputy  Director,  Operations,  DFAS,  provided  additional  comments  on  the  finding  to 
highlight  some  of  the  internal  controls  that  existed  over  database  changes.  He  explained 
that  internal  controls  existed  through  the  standard  operating  procedures  and  processes  in 
place  to  reconcile  the  database  changes. 

Our  Response 

On  page  37,  we  discuss  an  internal  standard  operating  procedures  manual  that  the  DDS 
PMO  issued  on  May  10,  2010.  We  acknowledged  that  this  manual  provided  new 
guidance  and  controls  over  the  documentation  and  maintenance  of  database  changes. 
However,  the  manual  “did  not  include  specific  guidance  on  how  to  document  the  effect 
of  a  database  change  on  the  data.”  Therefore,  we  concluded  the  procedures  did  not 
provide  adequate  controls  over  the  documentation  and  maintenance  of  database  changes. 
In  addition,  although  the  database  change  reconciliation  process  started  in  February  2010, 
the  DDS  PMO  was  not  able  to  provide  supporting  documentation  for  229  database 
changes  in  time  for  our  review. 

Recommendations,  Management  Comments,  and 
Our  Response 

C.l.  We  recommend  that  the  Under  Secretary  of  Defense  (Comptroller)/Chief 
Financial  Officer,  DoD,  update  the  DoD  7000.14-R,  “DoD  Financial  Management 
Regulation”  with  guidance  establishing  internal  controls  and  audit  trails  for 
changes  to  DoD  databases.  At  a  minimum,  this  guidance  should  require: 
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a.  Justification  for  the  database  change, 

b.  Dollar  amount  of  the  database  change, 

c.  Date  and  time  of  the  database  change, 

d.  Name  and  position  of  the  individual  reviewing  and  approving  the 
database  change,  and 

e.  User  identification  of  the  individual  making  the  database  change. 

Under  Secretary  of  Defense  (Comptroller)/Chief  Financial 
Officer,  DoD,  Comments 

The  Deputy  Chief  Financial  Officer  partially  agreed.  He  stated  that  although  he  agreed 
that  there  should  be  published  guidance  on  how  to  properly  document  and  control 
changes  to  DoD  databases,  he  did  not  agree  that  this  detailed  guidance  be  included  in  the 
DoD  FMR.  Rather,  he  agreed  to  add  a  statement  that  directs  Components  to  include 
appropriate  internal  controls  and  audit  trails  for  adjustments  to  data  and  databases  as 
outlined  in  the  OMB  Circular  A- 123,  “Management’s  Responsibility  for  Internal 
Control.”  The  estimated  completion  date  for  the  update  to  DoD  FMR,  volume  1, 
chapter  3,  is  January  2012. 

Our  Response 

The  Deputy  Chief  Financial  Officer’s  comments  were  responsive  and  he  agreed  to  add  a 
statement  to  the  DoD  FMR  directing  Components  to  include  appropriate  internal  controls 
and  audit  trails  for  adjustments  to  data  and  databases  in  compliance  with  the  OMB 
Circular  A- 123.  This  action  met  the  intent  of  the  recommendations. 

C.2.  We  recommend  that  the  Deputy  Assistant  Secretary  of  the  Army  (Financial 
Operations): 

a.  Review  the  294  Deployable  Disbursing  System  database  changes  that 
affected  accountability  to  ensure  that  DoD  funds  were  not  subjected  to  fraud,  waste, 
or  abuse. 


b.  Review  and  approve  modified  Statement  of  Accountability  reports 
impacted  by  the  53  Deployable  Disbursing  System  database  changes  identified  in 
this  audit. 

Department  of  the  Army  Comments 

The  DASA-FO  agreed  and  stated  that  the  internal  review  office  would  review  a  sample  of 
the  294  database  changes  to  ensure  disbursed  funds  were  not  subjected  to  fraud,  waste,  or 
abuse.  He  also  agreed  to  review  a  sample  of  the  53  database  changes  identified  in  the 
audit,  which  impacted  Statement  of  Accountability  reports.  He  anticipated  that  the 
preliminary  results  of  this  review  would  be  available  by  December  31,  201 1. 
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Our  Response 

The  DASA-FO  comments  were  responsive,  and  the  actions  met  the  intent  of  the 
recommendations . 

C.3.  We  recommend  that  the  Deputy  Assistant  Secretary  of  the  Army  (Financial 
Operations),  in  coordination  with  the  Director,  Defense  Finance  and  Accounting 
Service,  develop  a  memorandum  of  agreement  or  formal  procedures  providing 
guidance  on  how  to  request,  approve,  document,  and  execute  Deployable  Disbursing 
System  database  changes.  In  addition,  require  the  disbursing  officer  to  approve  all 
changes  that  affect  their  accountability  and  review  and  approve  all  modified 
Statement  of  Accountability  reports. 

Army  Comments 

The  DASA-FO  agreed.  He  will  implement  the  enhanced  controls  and  audit  logs  that 
DFAS  developed  for  using  script  files  to  modify  the  DDS  database  values  for  uncorrected 
errors.  He  said  he  would  limit  scripts  affecting  daily  accountability  to  those  requested  by 
the  responsible  disbursing  official.  He  stated  he  would  coordinate  with  DFAS  to  codify 
these  changes  in  a  fonnal  document. 

Defense  Finance  and  Accounting  Service  Comments 

The  Deputy  Director,  Operations,  DFAS,  agreed  and  stated  that  the  DDS  PMO  and 
DASA-FO  have  collaborated  to  modify  the  DDS  Help  Desk  Standard  Operating 
Procedures  for  requesting  changes  to  DDS.  The  Standard  Operating  Procedures  require 
notifying  the  disbursing  officer  before  making  changes  to  the  database.  On  July  8,  201 1, 
the  DDS  PMO  provided  the  DDS  Help  Desk  Standard  Operating  Procedures  signed  by 
the  Director,  USAFMCOM;  the  DDS  Program  Manager;  and  the  Director,  U.S.  Marine 
Corps  Disbursing  Operations. 

Our  Response 

The  DASA-FO  and  the  Deputy  Director,  Operations,  DFAS,  comments  were  responsive. 
They  have  taken  actions  that  met  the  intent  of  the  recommendations. 
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Appendix  A.  Audit  Scope  and  Methodology 

We  conducted  this  performance  audit  from  August  2009  through  March  2011  in 
accordance  with  generally  accepted  government  auditing  standards.  Those  standards 
require  that  we  plan  and  perform  the  audit  to  obtain  sufficient,  appropriate  evidence  to 
provide  a  reasonable  basis  for  our  findings  and  conclusions  based  on  our  audit  objectives. 
We  believe  that  the  evidence  obtained  provides  a  reasonable  basis  for  our  findings  and 
conclusions  based  on  our  audit  objectives. 

From  FY  2006  through  FY  2008,  the  Army  processed  more  than  285,926  commercial 
and  miscellaneous  payments,  totaling  $13.9  billion,  through  DDS.  We  received  DDS 
data  for  272,131  payments.  We  identified  an  additional  13,795  payments,  totaling 
$801.3  million,  for  which  we  were  missing  DDS  data.  We  could  not  review  the 
13,795  payments  because  Army  disbursing  offices  did  not  provide  the  DDS  data  in  time 
for  our  review.  Therefore,  this  was  a  scope  limitation.  We  believe  that  the  evidence 
obtained  provides  a  reasonable  basis  for  our  findings  and  conclusions  based  on  our  audit 
objectives. 

From  the  DDS  databases  the  DDS  PMO  originally  provided,  we  obtained  a  universe  for 
Anny  payments  made  from  FY  2006  through  FY  2008,  which  included 
272,131  payments,  totaling  $13.1  billion.  The  universe  included  commercial  and 
miscellaneous  payment  from  Army  disbursing  offices  located  in  Europe,  Korea,  and 
Southwest  Asia.  Our  nonstatistical  sampling  approach  resulted  in  the  selection  of 
425  payments,  totaling  $10.5  million,  from  a  universe  of  21 1,808  commercial  payments, 
totaling  $9.6  billion.  We  excluded  the  60,323  miscellaneous  payments  from  the  sample 
universe  because  miscellaneous  payments  included  payments  such  as  condolence  or 
travel  payments,  which  were  not  in  the  scope  of  our  data  reliability  review. 

Table  A-l  shows  a  breakout  of  the  nonstatistically  sampled  commercial  payments  by 
location.  We  tested  the  reliability  of  DDS  payment  information  by  comparing  425  hard 
copy  vouchers  and  supporting  documentation  to  the  DDS  data.  We  could  not  assess 
reliability  for  23  of  these  commercial  payments  because  they  represented  Government 
Purchase  Card  payments  for  which  visited  Army  disbursing  offices  did  not  maintain  the 
supporting  documentation. 


Table  A-l.  Nonstatistical  Sample  of  Army  Payments 


Location 

Number  of  Payments 

Amount 

Europe 

150 

$1,418,650 

Korea 

130 

2,732,457 

Southwest  Asia 

145 

6,391,811 

Total 

425 

$10,542,918 
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We  also  performed  site  visits  to  evaluate  the  effectiveness  of  current  internal  controls. 

We  visited  seven  Anny  DSSNs,  completed  internal  control  reviews  for  16  Anny  DSSNs, 
and  manually  reviewed  hard  copy  vouchers  for  10  Army  DSSNs.  The  nonstatistical 
sample  did  not  include  payments  from  all  16  DSSNs  because  some  DSSNs  processed  few 
or  no  commercial  payments.  Table  A-2  provides  a  breakout  of  each  DSSN  included  in 
our  reviews. 


Table  A-2.  Army  Disbursing  Offices  Reviewed 


Disbursing  Offices 

Systems  Control 

Internal  Control 

Sites  with 

Review* 

Review 

Nonstatistical 

Sample  Payments 

Europe  Theater  (6  sites) 

DSSN  5499 

X 

X 

X 

DSSN  6335 

X 

X 

X 

DSSN  6387 

X 

X 

DSSN  6460 

X 

DSSN  6583 

X 

DSSN  8763 

X 

X 

X 

Korea  Theater  (2  sites) 

DSSN  5023 

X 

DSSN  6411 

X 

X 

X 

SWA  Theater  (8  sites) 

DSSN  5579 

X 

X 

X 

DSSN  5588 

X 

X 

DSSN  8485 

X 

DSSN  8547 

X 

X 

DSSN  8549 

X 

X 

DSSN  8589 

X 

X 

DSSN  8748 

X 

X 

X 

DSSN  8788 

X 

Total 

7 

16 

10 

*Performed  at  the  disbursing  offices  we  visited. 


We  analyzed  the  sampled  payments  to  determine  the  reliability  of  the  data  processed 
through  DDS.  We  completed  a  review  of  the  sample  payments  to  detennine  whether  key 
data  elements,  such  as  certifying  official  infonnation,  contract  and  requisition  numbers, 
invoice  received  date,  and  invoice  number,  were  complete  and  accurate.  We  did  not 
perform  any  audit  work  relating  to  the  recording  of  related  obligations  because  DDS  is 
not  involved  in  the  recording  of  Anny  obligations. 
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We  compared  the  DDS  data  for  the  425  sampled  commercial  payments  to  STANFINS 
and  CAPS  data  to  verify  that  all  matched  and  that  the  data  were  complete  and  accurate. 

We  also  reviewed  1,017  database  changes  of  the  1,246  the  DDS  PMO  created  in  response 
to  Army  disbursing  personnel  requests  to  alter  DDS  data.  The  DDS  PMO  could  not 
provide  229  database  changes  in  time  for  our  review;  therefore,  we  consider  this  a  scope 
limitation. 

Use  of  Computer-Processed  Data 

The  objective  of  the  audit  was  to  assess  the  reliability  of  DDS  data.  We  found  DDS  data 
to  be  incomplete  and  inaccurate  and,  therefore,  unreliable.  We  relied  upon  computer- 
processed  data  obtained  from  STANFINS,  CAPS,  and  CSI  to  perform  this  audit.  We 
assessed  the  reliability  of  STANFINS  data  by  comparing  the  LOA  from  DDS  data  to 
STANFINS  data.  Although  we  found  discrepancies  in  comparing  the  DDS  data  with 
STANFINS  data,  we  found  the  STANFINS  data  sufficiently  reliable  for  our  purposes. 

We  assessed  the  reliability  of  CAPS  data  by  comparing  CAPS  data  and  hard  copy 
vouchers  to  DDS  data.  We  found  discrepancies  in  the  CAPS  data,  and  we  made  a 
recommendation  to  ensure  a  transparent  audit  trail  exists;  otherwise,  the  CAPS  data  as 
they  related  to  the  audit  objective  were  reliable.  We  found  CSI  did  not  contain  complete 
documentation  of  the  database  changes  and  made  a  recommendation  to  correct  the 
incomplete  documentation;  otherwise,  the  information  in  CSI  as  it  related  to  the  audit 
objective  was  reliable. 

Use  of  Technical  Assistance 

The  DoD  Office  of  Inspector  General  Quantitative  Methods  and  Analysis  Division 
provided  a  sample  of  payments  from  DDS  to  test  for  reliability.  In  addition,  the 
Quantitative  Methods  and  Analysis  Division  consolidated  the  DDS  databases  provided  by 
the  DDS  PMO  into  the  data-mining  program  for  the  audit  team  to  analyze. 
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Appendix  B.  Prior  Coverage  of  the 
Deployable  Disbursing  System 

During  the  last  5  years,  the  Department  of  Defense  Inspector  General  (DoD  IG) 
and  the  Army  Audit  Agency  (AAA)  have  issued  12  reports  discussing  the 
Deployable  Disbursing  System.  Unrestricted  DoD  IG  reports  can  be  accessed  at 
http://www.dodig.mil/audit/reports.  Unrestricted  Army  reports  can  be  accessed  from  .mil 
and  gao.gov  domains  over  the  Internet  at  https://www.aaa.army.mil/. 

DoD  IG 

DoD  IG  Report  No.  D-2010-038,  “Identification  of  Classified  Infonnation  in  an 
Unclassified  DoD  System  and  an  Unsecured  DoD  Facility,”  January  25,  2010  (FOUO) 

DoD  IG  Report  No.  D-20 10-037,  “Internal  Controls  Over  United  States  Marine  Corps 
Commercial  and  Miscellaneous  Payments  Processed  Through  the  Deployable  Disbursing 
System,”  January  25,  2010 

DoD  IG  Report  No.  D-20 10-034,  “Internal  Controls  Over  the  Army,  General  Fund  Cash 
and  Other  Monetary  Assets  Held  in  Southwest  Asia,”  January  8,  2010 

DoD  IG  Report  No.  D-2009-062,  “Internal  Controls  Over  DoD  Cash  and  Other  Monetary 
Assets,”  March  25,  2009 

DoD  IG  Report  No.  D-2009-054,  “Identification  of  Classified  Information  in 
Unclassified  DoD  Systems  During  the  Audit  of  Internal  Controls  and  Data  Reliability  in 
the  Deployable  Disbursing  System,”  February  17,  2009 

DoD  IG  Report  No.  D-2009-003,  “Internal  Controls  Over  Army  General  Fund,  Cash  and 
Other  Monetary  Assets  Held  Outside  of  the  Continental  United  States,”  October  9,  2008 

DoD  IG  Report  No.  D-2008-098,  “Internal  Controls  Over  Payments  Made  in  Iraq, 
Kuwait,  and  Egypt,”  May  22,  2008 

DoD  IG  Report  No.  D-2008-040,  “Defense  Retiree  and  Annuitant  Pay  System  and  the 
Deployable  Disbursing  System  Compliance  with  the  Defense  Business  Transfonnation 
System  Certification  Criteria,”  January  4,  2008 

Army 

AAA  Report  No.  A-20 10-0062-ALL,  “Audit  of  Controls  Over  Vendor  Payments  - 
Southwest  Asia  (Phase  II)”  March  16,  2010 

AAA  Report  No.  A-2010-0057-ALL,  “Audit  of  Controls  Over  Vendor  Payments  - 
Southwest  Asia  (Phase  II)”  February  24,  2010 


47 


AAA  Report  No.  A-20 10-00 12-ALL,  “Audit  of  Controls  Over  Vendor  Payments  - 
Southwest  Asia  (Phase  II)”  January  5,  2010 

AAA  Report  No.  A-2009-0 173-ALL,  “Audit  of  Controls  Over  Vendor  Payments  - 
Kuwait  (Phase  I  -  U.S.  Army  Contracting  Command,  Southwest  Asia,  Camp  Arifjan, 
Kuwait)”  July  29,  2009 
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Appendix  C.  Army  Vendor  Payment  Cycle 

The  audit  trail  for  the  Army  procurement  and  disbursing  process  begins  with  the 
identified  requirement  for  goods  and  services  and  ends  with  a  payment  out  of  DDS. 

1 .  The  Anny: 

•  acknowledges  the  requirement  for  goods  or  services, 

•  develops  a  Purchase  Request  and  Commitment,  and 

•  forwards  the  purchase  request  information  to  the  Resource  Management  Shop. 

2.  The  Resource  Management  Shop: 

•  assigns  the  funding  and 

•  enters  the  commitment  into  the  Resource  Management  Tool  or  database 
Commitment  Accounting  System,  which  in  turn  sends  the  infonnation  to 
STANFINS. 

3.  The  Anny  contracting  office: 

•  confirms  the  purchase  request  in  Resource  Management  Tool, 

•  uses  the  approved  Purchase  Request  and  Commitment  to  create  the  contract,  and 

•  enters  the  contract  fulfilling  the  requirements  for  goods  and  services  in  Standard 
Procurement  System/Procurement  Desktop  Defense. 

4.  The  Anny  forwards  the  contract  from  Standard  Procurement  System/Procurement 
Desktop  Defense  through  an  automated  interface  to  the  entitlement  system,  CAPS,  or 
manually  provides  it  to  vendor  pay. 

5.  The  vendor: 

•  provides  the  goods  and  services  and 

•  submits  an  invoice. 

6.  The  receiving  official: 

•  acknowledges  receipt  of  goods  or  services  on  the  receiving  report  and 

•  forwards  the  receiving  report  to  vendor  pay. 

7.  Army  vendor  pay  personnel  enter  vendor  invoice  and  receiving  report  information 
into  CAPS. 

8.  CAPS  creates  a  voucher  for  payment. 

9.  The  certifying  officer,  in  accordance  with  DoD  FMR,  volume  5,  chapter  33: 

•  reviews  the  payments  and 

•  authorizes  the  hard  copy  CAPS  vouchers. 
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10.  Through  an  interface,  CAPS  passes  the  payment  data  to  the  disbursing  system,  DDS. 

However,  not  all  commercial  payments  flow  through  CAPS.  The  Army  processes  some 
commercial  payments  through  manual  entry  of  payment  information  into  DDS. 

11.  Whether  processed  through  an  interface  or  manual  entry  into  DDS,  the  disbursing 
office: 

•  makes  payments  by  cash,  check,  or  EFT, 

•  sends  payments  to  vendors  in  one  of  two  ways: 

o  through  an  EFT/Intemational  Wire  to  the  vendor's  account  through  the 
International  Treasury  System  or 

o  through  payment  to  a  local  depository  account  for  the  vendor  to  withdrawal 
the  cash,  and  then 

•  sends  payment  data  to  STANFINS,  where  the  disbursement  cycle  ends. 

The  following  figure  illustrates  the  automated  interface  and  manual  process  for  Army 
vendor  payments. 
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Figure.  Army  Automated  Flow  of  Vendor  Payments 
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Commitment  System 

Standard  Procurement  System/Procurement  Desktop  Defense  (SPS/PD2)-  Contracting  System 

Computerized  Accounts  Payable  System  (CAPS)-  Entitlement  System 

Deployable  Disbursing  System  (DDS)-  Disbursing  System 

Standard  Finance  System  (STANFINS)-  Accounting  System 

International  Treasury  System  (ITS.GOV) 
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Glossary  of  Technical  Terms 

Army’s  Financial  System.  The  Army’s  financial  system  is  an  infonnation  system 
consisting  of  applications,  such  as  STANFINS,  CAPS,  and  DDS,  that  collect,  process, 
maintain,  transmit,  and  report  data  about  financial  events. 

Appointment  Letter.  An  appointment  letter  states  the  specific  duties  the  disbursing 
office  and  all  other  agent  officers  are  authorized  to  perform.  It  includes  the  statement  “I 
acknowledge  that  I  am  strictly  liable  to  the  United  States  for  all  public  funds  under  my 
control.”  This  letter  also  includes  a  statement  that  confirms  that  the  appointee  has  been 
counseled  with  regard  to  pecuniary  liability  and  has  been  given  written  operating 
instructions. 

Backout.  A  backout  is  an  action  completed  to  correct  or  void  a  payment. 

Computerized  Accounts  Payable  System  (CAPS).  CAPS  is  the  entitlement  system  the 
Army  uses  that  generates  a  voucher  for  payment  and  interfaces  with  DDS. 

Database  Change.  A  database  change  is  a  method  of  changing  data  without  using  actual 
transactions. 

Deployable  Disbursing  System  (DDS).  DDS  is  a  disbursing  system  that  automates  a 
variety  of  disbursing  office  functions  including  travel,  military,  commercial,  and 
miscellaneous  payments;  accounts  payable;  collection  processes;  and  financial  reporting 
requirements.  It  interfaces  with  both  the  Computerized  Accounts  Payable  System  and  the 
Standard  Finance  System. 

Disbursing  Office.  A  disbursing  office  is  an  activity  or  the  organizational  unit  of  an 
activity  whose  principal  function  consists  of  disbursing,  collecting,  and  reporting  of 
public  funds. 

Disbursing  Station  Symbol  Numbers  (DSSN).  A  DSSN  is  a  four-digit  number 
assigned  to  each  disbursing  office  by  the  Department  of  Treasury.  The  DSSN  is  an 
identification  number  that  indicates  authority  to  receive  and  disburse  public  funds  and 
issue  checks  on  the  U.S.  Treasury.  In  this  report,  we  refer  to  disbursing  offices  by  DSSN. 

Generic  User  Accounts.  Generic  user  accounts  are  those  with  general  account 
identifications  that  are  not  assigned  to  a  specific  DDS  user. 

Improper  Payments.  Improper  payments  are  those  that  should  not  have  been  made  or 
that  were  made  in  an  incorrect  amount  under  statutory,  contractual,  administrative,  or 
other  legally  applicable  requirements. 

Interface.  An  interface  is  a  method  of  communication  between  two  systems  that  often 
includes  transferring  data  from  one  system  to  another. 
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Multiple  User  Accounts.  Multiple  user  accounts  are  those  where  more  than  one  account 
is  assigned  to  one  DDS  user.  A  user  with  multiple  user  accounts  can  access  several 
privileges  and  perform  multiple  disbursing  functions. 

Privileges.  Privileges  in  DDS  allow  users  to  perform  disbursing  functions,  which  include 
system  administrator,  accounting,  payment  certification,  check  printing,  and  voucher 
input. 

Standard  Finance  System  (STANFINS).  STANFINS  is  the  Army  accounting  system 
that  interfaces  with  DDS. 

System  Administrator  Privilege.  The  system  administrator  privilege  in  DDS  allows 
users  to  access  the  user  setup  screen,  manipulate  payment  data,  create  and  maintain  user 
accounts,  assign  privileges,  reset  passwords,  back  out  payments,  and  archive  and  purge 
data. 

User  Account  List.  The  user  account  list  for  DDS  identifies  individuals  assigned  to 
DDS  within  a  disbursing  office.  This  list  details  the  user’s  name,  identification,  and 
outstanding  fund  balance. 

Voucher.  A  voucher  is  a  document  certified  by  a  certifying  officer  as  a  basis  for  a 
disbursing  officer  to  make  a  payment.  In  this  report  we  refer  to  SF  1034  (Public  Voucher 
for  Purchases  and  Services  Other  Than  Personal)  as  a  voucher. 
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Under  Secretary  of  Defense  (Comptroller)/Chief  Financial 
Officer,  DoD  Comments 


COMPTROLLER 


OFFICE  OF  THE  UNDER  SECRETARY  OF  DEFENSE 

t  I OO  DEFENSE  PENTAGON 
WASHINGTON,  DC  20301-1 100 


JUL  5  2011 


MEMORANDUM  FOR  PROGRAM  DIRECTOR,  DEFENSE  FINANCIAL  AUDITING 

SERVICE,  OFFICE  OF  THE  INSPECTOR  GENERAL  OF  THE 
DEPARTMENT  OF  DEFENSE 


SUBJECT:  Revised  Response  to  Draft  Audit  Report,  “Controls  Over  Army  Deployable 
Disbursing  System  Payments  Need  Improvement” 

On  May  9,  2011,  the  Office  of  the  Under  Secretary  of  Defense  (Comptroller)  (OUSD(C)) 
forwarded  comments  on  the  subject  draft  DoD  Inspector  General  audit  report.  Although 
OLSD(C)  concurred  that  there  should  be  published  guidance  on  how  to  properly  document  and 
control  changes  to  DoD  databases.  OUSD(C)  did  not  concur  that  this  detailed  guidance  be  in  the 
Department  of  Defense  Financial  Management  Regulation.  After  further  discussion  with  your 
staff,  OUSD(C)  agrees  to  add  a  statement  that  directs  components  to  include  appropriate  internal 
controls  and  audit  trails  for  adjustments  to  data/databases,  as  outlined  in  the  Office  of 
Management  and  Budget  Circular  A-123,  "Management’s  Responsibility  for  Internal  Control.” 
The  detailed  response  is  attached. 

Thank  you  for  the  opportunity  to  respond  to  the  draft  audit  report.  My  point  of  contact  is 


Attachment: 
As  stated 
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DOD  OIG  DRAFT  REPORT  DATED  MAY  11 ,  201 1 
PROJECT  NO.  D2007-DOOGFL-0252.003 

“CONTROLS  OVER  ARMY  DEPLOYABLE  DISBURSING  SYSTEM  PAYMENTS  NEED 

IMPROVEMENT- 

OFFICE  OF  THE  UNDER  SECRETARY  OF  DEFENSE  (COMPTROLLER) 
(OUSD)(C)  COMMENTS  TO  THE  DOD  OIG  RECOMMENDATIONS 

RECOMMENDATION  CM:  Wc  recommend  that  the  Under  Secretary  of  Defense 
(Comptroller)/Chicf  Financial  Officer  update  the  DoD  7000. 14-R,  "DoD  Financial  Management 
Regulation”  with  guidance  establishing  internal  controls  and  audit  trails  for  changes  to  DoD 
databases.  At  a  minimum,  this  guidance  should  require: 

a.  Justification  for  the  database  change, 

b.  Dollar  amount  of  the  database  change, 

c.  Date  and  time  of  the  database  change, 

d.  Name  and  position  of  the  individual  reviewing  and  approving  the  database  change, 
and 

e.  User  identification  of  the  individual  making  the  database  change. 

OUSD(C)  RESPONSE:  Partially  concur.  Although  OUSD(C)  concurs  that  there  should  be 
published  guidance  on  how  to  properly  document  and  control  changes  to  DoD  databases, 
OUSD(C)  does  not  concur  that  this  detailed  guidance  be  in  the  Department  of  Defense  Financial 
Management  Regulation  (DoDFMR).  The  DoDFMR,  Volume  1,  Chapter  3,  “Federal  Financial 
Management  Improvement  Act  of  1996  Compliance,  Evaluation,  and  Reporting,”  provides  the 
overarching  authoritative  guidance  for  all  system  requirements.  Appropriate  internal  controls 
that  direct  and  guide  the  systems  operations  should  be  integrated  into  each  system  established  by 
agency  management.  Determining  how  to  assess  the  effectiveness  of  internal  control  is  left  to 
the  discretion  of  the  agency,  therefore,  the  DoDFMR  does  not  specifically  detail  step-by-step 
procedures  for  any  financial  system.  The  OUSD(C)  will  add  a  general  statement  to  this  chapter 
that  directs  components  to  include  appropriate  internal  controls  and  audit  trails  for  adjustments  to 
data/databases  as  outlined  in  the  Office  of  Management  and  Budget  Circular  A-123, 
Management’s  Responsibility  for  Internal  Control.”  Step-by-step  detailed  procedures  for 
changes  to  a  system’s  data/databases  should  be  addressed  in  the  system’s  standard  operating 
procedures.  The  Deployable  Disbursing  System  Project  Management  Office  will  update  their 
standard  operating  procedures  manual  to  include  specific  details  of  data/database  change 
requirements  as  described  in  the  recommendation. 


Attachment 
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Department  of  the  Army  Comments 


DEPARTMENT  OF  THE  ARMY 

OFFICE  OF  THE  ASSISTANT  SECRETARY  OF  THE  ARMY 
FINANCIAL  MANAGEMENT  AND  COMPTROLLER 
109  ARMY  PENTAGON 
WASHINGTON  DC  20310-0109 

JUN  10  2011 

MEMORANDUM  FOR  ASSISTANT  INSPECTOR  GENERAL  FOR  FINANCIAL 
MANAGEMENT  AND  REPORTING,  OFFICE  OF  THE  DEPARTMENT  OF  DEFENSE 
INSPECTOR  GENERAL,  400  ARMY  NAVY  DRIVE,  ARLINGTON,  VA  22202-4704 

SUBJECT:  Controls  Over  Army  Deployable  Disbursing  System  (DDS)  Payments  Need 
Improvement  (Project  No.  D2007-D000FL-0252.OO3) 


1 .  Reference  your  memorandum  dated  1 1  May  201 1 ,  subject  as  above. 

2.  We  appreciate  the  opportunity  to  comment  on  the  subject  draft  report.  During  the 
audit  period  (fiscal  years  2006-2008)  the  Army  processed  272,131  commercial  and 
vendor  payments  through  DDS.  We  ultimately  provided  automated  DDS  history  that 
documented  271,859  of  these  payments  and  hardcopy  records  documenting  the 
remaining  272  payments.  We  also  note  abnormal  balances  related  to  DDS  payments 
did  not  exceed  acceptable  threshold  levels  during  the  audit  period. 

3.  Although  documentation  exists  to  support  these  payments,  and  abnormal  balances 
were  within  tolerance,  we  acknowledge  that  system  access  controls  were  not  always  up 
to  standard.  Additionally,  we  recognize  the  need  to  improve  training  for  the  Soldiers  we 
deploy  to  process  these  payments  in  support  of  contingency  operations.  Therefore,  we 
will  implement  the  audit’s  recommendations  to  improve  the  theater-wide  disbursing 
control  environment  and  ensure  personnel  operating  DDS  are  properly  trained.  An 
effective  control  environment  is  critical  to  ensuring  the  proper  payment  and  reporting  of 
commercial  and  vendor  payment  transactions. 

4.  Specific  responses  to  the  draft  recommendations  are  attached.  My  point  of  contact 

matter  telephone 
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DoDIG  Project  No.  D2007-DOOOFL-0252.003 
Controls  Over  Army  Deployable  Disbursing  System  Payments  Need  Improvement 
Department  of  the  Army  Comments  to  the  Draft  Report  Recommendations 


Recommendation  A-1 :  We  recommend  that  the  Deputy  Assistant  Secretary  of  the 
Army  (Financial  Operations)  instruct  the  Financial  Management  Centers  to  establish 
procedures  requiring  Army  disbursing  offices  to: 

a.  Eliminate  the  use  of  multiple  user  accounts  in  the  Deployable  Disbursing 
System  and  require  justification  for  rare  circumstances  when  multiple  users  are 
necessary. 

b.  Eliminate  the  use  of  generic  user  accounts  in  the  Deployable  Disbursing 
System. 

c.  Minimize  the  number  of  users  with  the  system  administrator  privilege. 

d.  Use  the  System  Authorization  Access  Request  form  or  another  method  for 
verifying  security  clearances,  need-to-know,  and  awareness  of  information  assurance 
responsibilities  in  granting  access  to  users  of  the  Deployable  Disbursing  System. 

e.  Review  the  Deployable  Disbursing  System  user  account  lists  periodically  for  the 
use  of  multiple  and  generic  used  accounts  and  monitor  user  access. 

f.  Maintain  certifying  officer  appointment  letters  in  accordance  with  DoD 
Regulation  7000. 14-R,  “DoD  Financial  Management  Regulation”  volume  5,  chapter  21. 

g.  Ensure  access  to  interface  data  and  processes  is  limited  to  personnel 
responsible  for  processing  interface  files. 

h.  Maintain  adequate  continuity  of  operations  plans  in  accordance  with  the 
National  Institute  of  Standards  and  Technology  Federal  Information  Processing 
Standards  Publication  200  and  Army  Regulation  500-3,  section  3325,  title  31 ,  United 
States  Code,  and  DoD  Regulation  7000.1 4-R. 

Army  Response:  Concur.  Deputy  Assistant  Secretary  of  the  Army  (Financial 
Operations)  memorandum  dated  6  June  201 1 ,  Subject:  Army  Disbursing  and 
Entitlement  Systems  Controls,  addresses  each  of  these  issues. 

Recommendation  A-2:  We  recommend  that  the  Deputy  Assistant  Secretary  of  the 
Army  (Financial  Operations)  instruct  Financial  Management  Centers  to  establish 
procedures  requiring  the: 


57 


a.  Appointment  of  certifying  officers  in  accordance  with  requirements  of  section 
3325,  title  31,  United  States  Code,  and  DoD  Regulation  7000.1 4-R,  “DoD 
Financial  Management  Regulation,  volume  5,  chapter  33. 

b.  Performance  of  periodic  reviews  of  access  profiles  to  ensure  proper  separation  of 
duties  between  users  of  the  entitlement  and  disbursing  systems. 

Army  Response:  Concur.  Deputy  Assistant  Secretary  of  the  Army  (Financial 
Operations)  memorandum  dated  6  June  201 1 ,  Subject:  Army  Disbursing  and 
Entitlement  Systems  Controls,  addresses  these  issues. 

Recommendation  A-3:  We  recommend  that  the  Deputy  Assistant  Secretary  of  the 
Army  (Financial  Operations)  establish  a  standardized  control  process  for  the  Financial 
Management  Centers  to  use  in  examining  control  procedures  implemented  in 
recommendations  A.  1  andA.2. 

Army  Response:  Concur.  By  not  later  than  July  31 ,2011,  the  US  Army  Financial 
Management  Command  (USAFMCOM)  will  prepare  and  publish  an  updated  internal 
control  checklist  which  incorporates  the  results  of  this  audit. 

Recommendation  A-4:  We  recommend  that  the  Deputy  Assistant  Secretary  of  the 
Army  (Financial  Operations)  review  payments  processed  using  multiple  and  generic 
user  accounts  to  ensure  the  payments  were  proper. 

Army  Response:  Concur.  The  review  of  payments  made  using  multiple  and  generic 
passwords  is  an  ongoing  process.  The  Special  Inspector  General  for  Iraq 
Reconstruction  (SIGIR)  has  performed  these  reviews  as  part  of  ongoing  audit  work 
(SIGIR  reports  1 0-01 1,11  -005,  and  1 1  -006).  While  a  preliminary  audit  confirmed  that 
internal  controls  were  not  compromised  in  the  specific  case  reviewed,  SIGIR  continues 
to  do  work  in  this  area  (see  SIGIR  Report  1 1  -005,  Iraq  Reconstruction  Funds:  Forensic 
Audits  Identifying  Fraud,  Waste,  and  Abuse,  dated  28  Oct  10).  Additionally,  we 
requested,  the  Army  Audit  Agency  conduct  a  theater-wide  audit  of  commercial 
payments  emphasizing  payments  processed  in  DDS  with  generic  USERIDs.  We  will 
analyze  results  of  SIGIR  and  Army  Audit  Agency  audit  findings  to  determine  the  level  of 
further  review  required  to  ensure  the  propriety  of  these  payments. 

Recommendation  A-5:  We  recommend  that  the  Deputy  Assistant  Secretary  of  the 
Army  (Financial  Operations)  review  disbursing  personnel  using  multiple  and  generic 
user  accounts  and  if  improper  payments  are  associated  with  these  accounts,  take 
administrative  action  against  the  personnel  using  these  accounts. 

Army  Response:  Concur.  Appropriate  action  will  be  taken  in  accordance  with  Army 
Regulation  15-6  and  DoD  Regulation  7000. 14-R,  “DoD  Financial  Management 
Regulation”  volume  5  in  situations  where  an  erroneous  payment  is  found  as  the  result  of 
misusing  multiple  and  generic  user  accounts. 
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Recommendation  A-6:  We  recommend  that  the  Deputy  Assistant  Secretary  of  the 
Army  (Financial  Operation)  coordinate  with  U.S.  Central  Command  to  conduct  an 
investigation  as  described  in  Army  Regulation  15-6,  “Procedures  for  Investigating 
Officers  and  Board  of  Officers,”  for  the  activities  of  the  two  Army  paying  agents  and, 
based  on  the  results  of  the  investigation,  initiate  appropriate  criminal,  civil,  or 
administrative  action. 

Army  Response:  Concur.  We  requested  copies  of  the  investigation  initiated  by  the 
Multi-National  Corps  -  Iraq  (MNC-I)  into  this  situation  (AR  15-6  Report  of  Investigation 
Regarding  Theft  of  Commander’s  Emergency  Response  Program  (CERP)  Funds  by 
CPT  ,  dated  10  Apr  09).  Upon  review  of  the  report,  and  in  coordination 

with  DFAS  legal  staff,  deficiencies  will  be  identified  to  the  command  for  correction  and 
further  disciplinary  action,  as  applicable. 

Recommendation  A-7:  We  recommend  that  the  Deputy  Assistant  Secretary  of  the 
Army  (Financial  Operations)  review  seven  of  the  nine  duplicate  payments,  totaling 
$162,258,  collect  the  overpayments,  and  determine  whether  the  Army  should  take 
administrative  action  against  those  responsible  for  the  duplicate  payments. 

Army  Response:  Concur.  Currently  $75,864.06  has  been  collected,  $20,910  is 
actively  being  pursued  from  contractors  with  sufficient  government  work  that  we 
anticipate  successful  collection,  and  $65,483.94  paid  to  one  contractor. is  under  active 
investigation.  For  overpayments  that  cannot  be  collected,  we  will  direct  an  investigation 
be  performed  by  the  appropriate  command  in  accordance  with  DoD  Regulation 
7000. 14-R,  “DoD  Financial  Management  Regulation”  volume  5.  The  command’s 
investigation  will  determine  liability  for  uncollectable  balances  and  appropriate 
administrative  action. 

Recommendation  B-laMI:  We  recommend  that  the  Deputy  Assistant  Secretary  of 
the  Army  (Financial  Operations)  require  the  Financial  Management  Centers  to  use  the 
Deployable  Disbursing  System  and  Standard  Finance  System  interface. 

Army  Response:  Concur.  Deputy  Assistant  Secretary  of  the  Army  (Financial 
Operations)  memorandum,  dated  6  June  201 1 ,  Subject:  Army  Disbursing  and 
Entitlement  Systems  Controls  directs  the  use  of  this  interface. 

Recommendation  B-1af2):  We  recommend  that  the  Deputy  Assistant  Secretary  of  the 
Army  (Financial  Operations)  require  the  Financial  Management  Centers  to  develop 
procedures  for  Army  disbursing  offices  making  changes  to  the  Standard  Finance 
System  interface  files  and  the  recording  of  these  changes  in  the  original  supporting 
documentation. 

Army  Response:  Concur.  Deputy  Assistant  Secretary  of  the  Army  (Financial 
Operations)  memorandum,  dated  6  June  201 1 ,  Subject:  Army  Disbursing  and 
Entitlement  Systems  Controls  directs  development  of  these  procedures. 
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Recommendation  B-1a(3>:  We  recommend  that  the  Deputy  Assistant  Secretary  of  the 
Army  (Financial  Operations)  require  the  Financial  Management  Centers  to  use 
consistent  methods  for  those  Army  disbursing  offices  using  workarounds  to  handle 
foreign  electronic  fund  transfer  payments. 

Army  Response:  Concur.  By  not  later  than  July  31 , 201 1  USAFMCOM,  in 
coordination  with  DFAS,  will  publish  guidance  on  standardizing  how  electronic 
payments  made  through  local  depository  accounts  will  be  recorded  in  DDS. 

Recommendation  B-1a(4):  We  recommend  that  the  Deputy  Assistant  Secretary  of  the 
Army  (Financial  Operations)  require  the  Financial  Management  Centers  to  restrict  the 
use  of  the  manual  disbursement  voucher  method. 

Army  Response:  Concur.  Deputy  Assistant  Secretary  of  the  Army  (Financial 
Operations)  memorandum,  dated  6  June  2011,  Subject:  Army  Disbursing  and 
Entitlement  Systems  Controls  restricts  the  use  of  manual  disbursements  vouchers. 

Recommendation  B-1  a(5):  We  recommend  that  the  Deputy  Assistant  Secretary  of  the 
Army  (Financial  Operations)  require  the  Financial  Management  Centers  to  use  the 
Standard  Form  44  voucher  method  in  the  Deployable  Disbursing  System  when 
processing  Standard  Form  44  payments. 

Army  Response:  Concur.  Deputy  Assistant  Secretary  of  the  Army  (Financial 
Operations)  memorandum,  dated  6  June  2011,  Subject:  Army  Disbursing  and 
Entitlement  Systems  Controls,  addresses  this  issue.  Flowever,  due  to  resource 
constraints  and  processing  of  classified  payments  in  contingency  operations,  disbursing 
offices  are  authorized  to  process  multiple  SF  44s  on  a  single  SF  1 034  voucher  in  the 
system  provided  key  data  is  included  on  the  1034  input  or,  for  classified  payments,  use 
separately  established  procedures  for  cross-referencing  to  separate  classified  files. 

Recommendation  B-lb:  We  recommend  that  the  Deputy  Assistant  Secretary  of  the 
Army  (Financial  Operations)  review  the  Computerized  Accounts  Payable  System  and 
Deployable  Disbursing  System  data  for  completeness  to  ensure  a  transparent  audit  trail 
exists  for  the  1 25  payments. 

Army  Response:  Concur.  DFAS  has  performed  an  exhaustive  search  of  copies  of  the 
CAPS  databases.  While  the  audit  clearly  revealed  that  the  payments  were  made  in 
CAPS  and  subsequently  uploaded  or  input  to  DDS,  the  original  CAPS  data  for  these 
payments  have  probably  been  archived  or  moved  to  history.  While  the  Business 
Transformation  Agency  maintains  a  CAPS  repository  for  the  contingency  theaters,  there 
is  not  currently  a  centralized  CAPS  repository  for  all  Army  CAPS  sites  as  there  is  for 
DDS.  In  recognition  of  this  problem,  DFAS  is  developing  a  deployable  version  of  the 
Computerized  Accounts  Payable  System  that  will  include  a  central  repository.  We 
expect  this  improvement  will  be  implemented  in  2012. 
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Recommendation  B-lc:  We  recommend  that  the  Deputy  Assistant  Secretary  of  the 
Army  (Financial  Operations)  coordinate  with  Defense  Finance  and  Accounting  Service 
to  develop  a  consistent  method  within  the  Deployable  Disbursing  System  to  identify  the 
differences  in  the  payment  method  of  the  foreign  electronic  funds  transfer  payments. 

Army  Response:  Concur.  By  not  later  than  July  31 , 201 1 ,  USAFMCOM,  in 
coordination  with  DFAS,  will  publish  guidance  on  standardizing  how  electronic 
payments  made  through  local  depository  accounts  will  be  recorded  in  DDS. 

Recommendation  C-2a:  We  recommend  that  the  Deputy  Assistant  Secretary  of  the 
Army  (Financial  Operations)  review  the  294  Deployable  Disbursing  System  database 
changes  that  affected  accountability  to  ensure  that  DoD  funds  were  not  subjected  to 
fraud,  waste,  or  abuse. 

Army  Response:  Concur.  Our  internal  review  office  will  review  a  sample  of  the  294 
database  changes  to  ensure  disbursed  funds  were  not  subjected  to  fraud,  waste  or 
abuse.  However,  we  do  not  believe  these  changes  lend  themselves  to  fraud,  waste  or 
abuse  since  the  changes  do  not  affect  the  amount  paid  to  the  payee  and  reported  to  the 
Treasury.  We  anticipate  preliminary  results  of  this  review  will  be  available  by  December 
31,2011. 

Recommendation  C-2b:  We  recommend  that  the  Deputy  Assistant  Secretary  of  the 
Army  (Financial  Operations)  review  and  approve  modified  Statement  of  Accountability 
reports  impacted  by  the  53  Deployable  Disbursing  System  database  changes  identified 
in  this  audit. 

Army  Response:  Concur.  Our  internal  review  office  will  review  a  sample  of  the  53 
database  changes  identified  in  the  audit.  However,  we  do  not  believe  these  changes 
lend  themselves  to  fraud,  waste  or  abuse  since  the  changes  do  not  affect  the  amount 
paid  to  the  payee  and  reported  to  the  Treasury.  We  anticipate  preliminary  results  of  this 
review  will  be  available  by  December  31,  2011. 

Recommendation  C-3:  We  recommend  that  the  Deputy  Assistant  Secretary  of  the 
Army  (Financial  Operations),  in  coordination  with  the  Director,  Defense  Finance  and 
Accounting  Service,  develop  a  memorandum  of  agreement  or  formal  procedures 
providing  guidance  on  how  to  request,  approve,  document,  and  execute  Deployable 
Disbursing  System  database  changes.  In  addition,  require  the  disbursing  officer  to 
approve  all  changes  that  affect  their  accountability  and  review  and  approve  all  modified 
Statement  of  Accountability  reports. 

Army  Response:  Concur.  We  will  implement  the  enhanced  controls  and  audit  logs 
developed  by  DFAS  for  use  of  script  files  to  modify  DDS  database  values  when  errors 
occur  which  cannot  be  corrected  through  use  of  the  application  functions  at  the  local 
site.  We  will  limit  scripts  impacting  daily  accountability  to  those  requested  by  the 
disbursing  officer,  principle  deputy  or,  for  subordinate  databases,  the  disbursing 
agent/deputy  responsible  for  that  database.  Deputy  Assistant  Secretary  of  the  Army 
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(Financial  Operations)  memorandum,  dated  6  June  201 1 ,  Subject:  Army  Disbursing  and 
Entitlement  Systems  Controls,  addresses  this  issue.  We  will  coordinate  with  DFAS  to 
codify  these  changes  in  a  formal  document. 
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Defense  Finance  and  Accounting  Service  Comments 


DEFENSE  FINANCE  AND  ACCOUNTING  SERVICE 
ARLINGTON 
1851  SOUTH  BELL  STREET 
ARLINGTON,  VA  22240-5291 

JUN  1  7  2011 

DFAS-JJ 


MEMORANDUM  FOR  DIRECTOR,  AUDIT  FOLLOW-UP  AND  GAO  AFFAIRS,  OFFICE 
OF  THE  INSPECTOR  GENERAL,  DEPARTMENT  OF  DEFENSE 

SUBJECT:  Controls  Over  Army  Deployable  Disbursing  System  Payments  Need  Improvement, 
Project  No.  D2007-D000FL-0252.003 

Attached  are  the  management  comments  to  recommendations  B2a-c  and  C3  of  the 
subject  report. 

Questions  your  staff  may  have  concerning  matters  for  this  recommendation  may  be 
directed 


David  E.  McDermott 
Deputy  Director,  Operations 


Attachment: 
As  stated 


www.dod.mil/cHas 
Your  Financial  Partner  @  Work 
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Controls  Over  Army  Deployable  Disbursing  System  Payments  Need  Improvement, 
Project  No.  D20O7-D0O0FL-0252.OO3 

Overview:  This  section  is  an  overview  of  the  report.  This  report  brings  up  various  issues 
that  were  previously  corrected,  but  does  not  consistently  give  DFAS  credit  for  items  we 
fixed. 

Notes: 

Item  1 :  Location:  Page  5,  para  1 

Statement:  “Army  disbursing  personnel  at  16  DSSNs  did  not  adequately  control  access  to 
commercial  and  miscellaneous  payment  data  processed  through  DDS.” 

Action  Taken:  January  201 1,  DDS  6.4:  X0203  -  Create  an  Interface  between  DDS  and 
the  Government  CAC,  X0475  -  Provide  the  Ability  to  Designate  Surrogate  Users 
September  2010,  DDS  6.3:  X0469  -  Create  User  Appointment  Memorandum  Upload 
Capability,  X0470  Modify  Archive  Viewer  to  Display  Paid  and  Certified  User,  X0472 
-  Modify  DDS  User  Report  to  Report  User  Assigned  Functions,  X0474  Capture 
Certifying  Officer  for  Certified  Payments 

Item  2:  Location:  Page  5,  para  2 

Statement:  “In  addition,  for  334  of  the  425  payments  reviewed,  disbursing  offices  could  not 
provide  the  certifying  officer  appointment  letters;  the  appointment  letter  was  not  signed;  or  the 
appointment  letter  was  not  signed  by  authorized  personnel.  These  deficiencies  occurred  because: 

•  Army  FMCs  did  not  have  effective  control  procedures  in  place  for  reviewing  DDS  user 
access  or  overseeing  the  DDS  payment  process,  and 

•  the  DDS  PMO  did  not  provide  sufficient  visibility  in  DDS  for  management  to  readily 
review  and  identify  access  control  weaknesses." 

Action  Taken:  September  2010,  DDS  6.3:  X0469  Create  User  Appointment 
Memorandum  Upload  Capability,  X0470  -  Modify  Archive  Viewer  to  Display  Paid  and 
Certified  User,  X0474  -  Capture  Certifying  Officer  for  Certified  Payments 

Item  3:  Location:  Page  7,  para  2 

Statement:  “Army  disbursing  offices  at  16  DSSNs  did  not  have  adequate  controls  over  the 
access  to  commercial  and  miscellaneous  payment  data  processed  through  DDS.  The  disbursing 
offices  exposed  DDS  payment  information  to  unauthorized  modification,  loss,  or  disclosure. 
Specifically,  the  Army  disbursing  offices:” 

1.  “assigned  multiple  user  accounts  to  individual  DDS  users  at  14  DSSNs," 

2.  “created  generic  user  accounts  in  DDS  that  were  not  assigned  to  specific  individuals  at  16 
DSSNs,” 

3.  “assigned  access  to  system  administrator  privileges  to  an  excessive  number  of  user 
accounts  at  1 6  DSSNs,  and” 

4.  “DDS  did  not  have  procedures  implementing  DoD  requirements  for  restricting  access  to 
users  with  a  need-to-know  at  five  DSSNs.”  “Specifically,  disbursing  personnel  used  22 
multiple  user  accounts  and  56  generic  user  accounts  to  process  $595.6  million  in 
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payments;  using  these  accounts  bypassed  controls  and  did  not  allow  for  identification  of 
individuals  processing  payments.  In  addition.  Army  disbursing  offices  assigned  the 
system  administrator  privilege  to  90  of  the  253  individual  main  site  user  accounts.” 

Action  Taken: 

1 .  September  2010,  DDS  6.3:  X0472  -  Modify  DDS  User  Report  to  Report  User 
Assigned  Functions 

2.  September  2010,  DDS  6.3:  X0472  Modify  DDS  User  Report  to  Report  User 
Assigned  Functions,  X0475  -  Provide  the  Ability  to  Designate  Surrogate  Users 

3.  September  2010,  DDS  6.3:  X0472  Modify  DDS  User  Report  to  Report  User 
Assigned  Functions. 

4.  January  201 1,  DDS  6.4:  X0203  -  Create  an  Interface  between  DDS  and  the 
Government  CAC,  X0475  -  Provide  the  Ability  to  Designate  Surrogate  Users; 
September  2010,  DDS  6.3:  X0469  -  Create  User  Appointment  Memorandum 
Upload  Capability,  X0470  -  Modify  Archive  Viewer  to  Display  Paid  and  Certified 
User,  X0472  -  Modify  DDS  User  Report  to  Report  User  Assigned  Functions,  X0474 
-  Capture  Certifying  Officer  for  Certified  Payments, 

Ref  Audit  Report  page  8,  para  1:  "Army  disbursing  offices  circumvented  DDS  controls  by 
assigning  multiple  user  accounts  to  859  individuals  who  used  DDS  (Table  2)  at  14  DSSNs." 

Item  5:  Location:  Page  18,  para  4 

Statement:  “Army  disbursing  personnel  made  duplicate  payments  and  processed  classified 
information  through  DDS. ..Specifically,  Army  disbursing  personnel  processed  655  payments 
that  contained  classified  information  in  DDS,  an  unclassified  DoD  system." 

Action  Taken:  Established  sensitive  data  script  and  procedures. 

Item  6:  Location:  Page  21,  para  1 

Statement:  ‘The  Army’s  financial  system,  including  CAPS,  DDS,  and  STANFINS,  did  not 
maintain  accurate  or  complete  information.  Specifically,  out  of 402  commercial  payments  that 
we  randomly  sampled  from  21 1,808  payments  ($9.6  billion)  in  DDS,  the  financial  system  did  not 
maintain:” 

1 .  “accurate  line  of  accounting  (LO  A)  information  for  296  payments;” 

2.  “accurate  payment  method  information  for  140  payments;  and” 

3.  “complete  fundamental  payment  information,  such  as  invoice  line  item  information  for 
370  payments,  contract  or  requisition  number  for  54  payments,  invoice  received  date  for 
48  payments,  and  invoice  number  for  30  payments.” 

Action  Taken: 

1.  April  2011,  DDS  DRJ-1 :  X0509  DRI  Reporting  Accounting  line  data 

2.  None 

Ref  Audit  Report  page  21,  para  2:  ‘The  financial  system  did  not  maintain  accurate 
or  complete  information  because  Army  finance  offices  did  not  properly  use  DDS 
interfaces.” 
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3.  September  2010,  DDS  6.3:  X0473  -  Require  Contract  Number  or  Requisition 
Number  for  Vendor  Pay;  March  2011,  DDS  6.5:  X05 16 -Require  Invoice  Date  for 
Vendor  Pay;  [Unresolved:  Invoice  Line  Item  information] 

Item  7:  Location:  Page  21,  para  2 

Statement:  “Further,  the  Assistant  Secretary  of  the  Army  (Financial  Management  and 
Comptroller)  and  Director,  DFAS  (Information  and  Technology)  did  not  develop  systems  within 
Army’s  financial  system,  including  DDS,  with  sufficient  functionality  to: 

•  provide  the  ability  to  make  foreign  currency  electronic  funds  transfer  (EFT)  payments 
using  DDS,  and” 

Action  Taken:  June  2009,  DDS  4.0:  X0245  -  Provide  the  Ability  to  Interface  with 
ITS.Gov. 

Item  8:  Location:  Page  25,  para  2 

Statement:  “The  Core  Financial  System  Requirements  state  that  adequate  internal  controls  must 
be  in  place  to  verify  that  the  goods  or  services  paid  for  were  actually  ordered,  received,  and 
accepted;  that  proper  due  dates  and  payment  amounts  are  computed;  and  that  duplicate  payments 
are  prevented.  DDS  provided  different  voucher  methods  for  processing  commercial  payments; 
however,  not  all  methods  captured  information  required  by  the  Core  Financial  System 
Requirements.” 

Action  Taken:  (Core  Requirements  -  Data  Access,  security,  internal  controls, 
accountability,  audit  trail):  April  2011,  DDS  DRI-1:  X0487  -  Modify  DRI  to  Display 
Accountability  Reports,  X0508  -  DRI  Query  of  Collection  Vouchers  for  Collected  Items, 
X0509  -  DRI  Reporting  Accounting  line  data 

January  2011,  DDS  6.4:  X0203  -  Create  an  Interface  between  DDS  and  the  Government 

CAC,  X0475  -  Provide  the  Ability  to  Designate  Surrogate  Users 

September  2010,  DDS  6.3:  X0472  -  Modify  DDS  User  Report  to  Report  User  Assigned 

Functions. 

Item  9:  Location:  Page  25,  para  3  &  Page  26,  para  2 

Statement:  “The  manual  disbursement  voucher  method  recorded  disbursement  vouchers 
prepared  offline  and  required  entering  a  minimal  amount  of  information  to  process  a  payment  in 
DDS.”  “Because  Army  disbursing  personnel  used  the  manual  disbursement  voucher  method  to 
process  commercial  payments  through  DDS,  the  Army’s  financial  system  did  not  maintain  the 
following  key  information  for  the  402  sample  commercial  payments:” 

Action  Taken:  None  -  Functionality  providing  preferred  audit  trail  exists  in  SF1034 
process. 

Ref  Audit  Report  page  26,  para  2:  “The  SF  1034  voucher  method  permitted  a  DDS  user 
to  input  complete  payment  data  that  resulted  in  a  payment  to  an  individual  or 
organization  for  goods  furnished  or  services  rendered.  This  method  provides  an  audit  trail 
of  the  payment.” 

Item  10:  Location:  Page  28,  para  2-3 
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Statement:  “Army  Did  Not  Have  a  Centralized  Database  of  DDS  Data”  “However,  this 
repository  did  not  contain  summary  level  data  for  all  DDS  payments  processed  before  FY  2009. 
In  addition,  the  repository  did  not  maintain  all  key  data  elements  associated  with  DDS  payments, 
such  as  LOA  and  information  to  identify  the  users  processing  the  payments  in  DDS.” 

Action  Taken:  The  DRI- 1  release  in  April  2011  is  part  of  the  ongoing  effort  to  make  the 
DDS  Repository  Initiative  (DRI)  a  repository  for  site  data.  X0487  -  Modify  DRI  to 
Display  Accountability  Reports,  X0508  DRI  Query  of  Collection  Vouchers  for 
Collected  Items,  X0509  -  DRI  Reporting  Accounting  line  data,  X0510  Make  DRI 
Application  Compatible  with  TSO-CS  Automation. 

Section:  “FINDING  C:  ARMY  AND  DFAS  HAD  INADEQUATE  CONTROLS  OVER 

DDS  DATABASE  CHANGES” 

Item  11:  Location:  Page  32,  para  2 

Statement:  “Army  disbursing  offices  and  the  DDS  PMO  did  not  have  adequate  internal  controls 
over  changes  made  to  the  DDS  database.” 

Action  Taken:  DDS  Helpdesk  SOP  requires  PM  authorization  and  site  DO  notification 
of  all  accountability  changes.  Central  repository  was  established  to  retain  copies  of  all 
DDS  database  change  files.  The  Technology  Services  Organization  reconciles  the 
repository  to  CSI  and  the  Tracker  system  to  verify  the  repository  accounts  for  all  database 
change  files. 

Item  12:  Location:  Page  36,  para  4 

Statement:  “FMCOM  and  the  DDS  PMO  need  to  improve  internal  controls  over  Army  DDS 
database  changes  by  developing  a  memorandum  of  agreement  or  formal  procedures  providing 
guidance  on  how  to  request,  approve,  document,  execute,  and  retain  DDS  database  changes.” 

Action  Taken:  Internal  controls  for  database  changes  exist  through  DDS  Helpdesk  SOP 
requirements;  PM  must  authorize  and  site  DO  must  be  notification  of  all  accountability 
changes.  Central  repository  was  established  to  retain  copies  of  all  DDS  database  change 
files.  The  Technology  Services  Organization  reconciles  the  repository  to  CSI  and  the 
Tracker  system  to  verify  the  repository  accounts  for  all  database  change  files. 

Official  Responses  to  DFAS  Recommendations: 

Recommendation  B.2:  We  recommend  that  the  Director,  Defense  Finance  and  Accounting 
Service: 

a.  Modify  the  Computerized  Accounts  Payable  System  and  the  manual  disbursement  function 
within  the  Deployable  Disbursing  System  to  capture  invoice  line  item  information  for  all 
commercial  payments. 

b.  Modify  the  Data  Reporting  Initiative  to  display  line  of  accounting  and  user  account 
information,  and 
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c.  Incorporate  the  13,524  Deployable  Disbursing  System  payments  into  the  Data  Reporting 
Initiative. 

Management  Comments: 

a.  Concur  with  comments.  The  invoice  line  item  information  is  required  to  be  maintained  in  the 
entitlement  system.  Computerized  Accounts  Payable  System-Windows  (CAPS-W)  requires 
invoice  line  item  information,  mandatory  field.  CAPS-Clipper  does  not  require  invoice  line 
item  information.  DFAS  is  converting  all  remaining  sites  on  CAPS-Clipper  to  CAPS-W. 

For  manual  input  into  the  disbursing  system,  DDS,  the  end  user  is  required  to  backload 
payment  information  into  the  supporting  entitlement  system,  CAPS;  thereby  ensuring  key 
invoice  information  is  captured.  Estimated  completion  date  for  the  transition  from  CAPS- 
Clipper  to  CAPS-W  is  December  31,  2011 

b.  Concur.  The  Data  Reporting  Initiative  now  displays  the  line  of  accounting  and  the  user 
account  information.  DDS  PMO  developed  two  SCRs,  X0509  and  X0487,  to  implement 
these  changes.  These  changes  were  made  available  to  the  customers  April  2011.  Completion 
date  April  2011. 

c.  Concur  with  comments.  The  Marine  Corps  audit  identified  the  need  to  have  a  centralized 
database  of  all  DDS  transactions.  The  DDS  PMO  developed  the  Data  Reporting  Initiative 
which  has  contains  DDS  payment  transactions  since  2009.  This  centralized  database 
contains  all  but  272  transactions  since  2009.  Hard-copy  vouchers  have  been  provided  to 
Marine  Corp  for  the  outstanding  272  transactions.  Completion  date  January  2009 

Recommendation  C.3:  We  recommend  that  the  Deputy  Assistant  Secretary  of  the  Army 
(Financial  Operations),  in  coordination  with  the  Director,  Defense  Finance  and  Accounting 
Services  develop  a  memorandum  of  agreement  of  formal  procedures  providing  guidance  on  how 
to  request,  approve,  document,  and  execute  Deployable  Disbursing  System  database  changes.  In 
addition,  require  the  disbursing  officer  to  approve  all  changes  that  affect  their  accountability  and 
review  and  approve  all  modified  Statement  of  Accountability  reports. 

Management  Comments: 

a.  Concur.  The  DDS  PMO  and  Deputy  Assistant  Secretary  of  the  Army  (Financial  Operations) 
have  collaborated  to  modify  the  DDS  Help  Desk  Standard  Operating  Procedures  (SOP) 
which  outlines  procedures  for  requesting  changes  to  DDS.  The  SOP  requires  disbursing 
officer  notification  prior  to  change.  The  DDS  Help  Desk  SOP  will  be  signed  by  the  Deputy 
Assistant  Secretary  of  the  Army  (Financial  Operations)  and  DFAS  Director,  Marine  Corps 
Disbursing  Operations.  Estimated  completion  date  July  29,  2011 
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